Subject access requests on behalf of third parties
Subject access requests on behalf of third parties
Please send me all personal information relating to my fiancée…..
Whilst I was on holiday last week, the BBC news app ran a story by a young data researcher who had contacted 83 UK and US companies to ask for copies of his fiancée’s personal data under the General Data Protection Regulation. The fiancée had consented to him doing this research.
Out of the 83 companies contacted, 24% disclosed her personal data without any further verification check. Reassuringly, 39% asked for a ‘strong’ form of ID verification before disclosing any personal data and 13% ignored the request altogether. The remaining 24% either sent a standard ‘we have no personal data pertaining to this individual’ response (which was untrue) or asked for a weak form of verification ID which was supplied in a clearly forged manner and personal data was subsequently disclosed.
In all, Mr Pavur obtained 10 digits of his fiancée’s credit card number, its expiry date and issuer, her current and past addresses, US social security number, several current usernames and passwords (which subsequently worked on other password protected information), details of overnight stays in a certain hotel chain, details of her high school grades, her mother’s maiden name and the results of a criminal records background check. In one instance, the subject access request was posted to an online portal which disclosed the fiancée’s name, address, email and telephone number – a data breach in itself.
These findings are a salutary reminder to us all that we must take our subject access requests seriously and deal with them appropriately and within strict processes and procedures. Personal data should never be disclosed to a third party unless you have satisfied yourselves that the data subject has consented to his/her personal data being disclosed to that person. If you have any doubts at all, you should contact the data subject him/herself to ask them. In the case of a third party request for information, such requests should always be accompanied by a letter of consent from the data subject which is signed by the data subject and which is then supported by official documentation bearing the signature of the data subject.
Don’t forget that you must respond to a subject access request, they are not optional. You have one calendar month in which to respond – the time starts from the date of receipt of the request or from receipt of the verification documents which ever is the later. If you can reasonably supply the requested information sooner than this, then you should do so. You should confirm the response date with the requester and then initiate your internal processes to ensure that you adhere to the deadline. The information that you are required to disclose is personal data which ‘relates to’ or ‘focuses on’ the data subject – mere mention of their name as an attendee at a meeting, or as a sender or recipient of an email does not ‘relate to’ or ‘focus on’ them and does not need to be disclosed.
You should check with the data subject whether they want you to disclose information which they already have in their possession – it is not an automatic presumption that you don’t need to send this information. You do, unless the data subject agrees otherwise. If the request for information is onerous, you have the right to require the data subject to narrow down the scope of the request and, in extreme circumstances, refuse to act altogether. This is not something to be decided lightly – the data subject will almost certainly complain to the Information Commissioner and you will need to document and disclose the internal discussions and decisions which lead to your refusal to act. The ICO will have expected you to a) request that the scope of the request be narrowed and b) to have carried out the search and ascertained how many documents fall within the scope of the request before deciding not to respond to it.
If you have any questions relating to how to respond or deal with a subject access request – please contact the GDPR team at Paris Smith.