Data Subject Rights: An update
This is the third update on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This article will consider two pivotal changes proposed under the Bill regarding:
- the data subject rights; and
- the right to complain.
Data subject requests
A data subject request is the process whereby an individual exercises their right to access and receive a copy of their personal data and other supplementary information. Requests can be time-consuming for controllers to deal with, and there is little scope to refuse a request which appears unnecessary or designed to frustrate. Under section 53 (1) Data Protection Act 2018 a controller can only charge a fee or refuse the request when the request is ‘manifestly unfounded or excessive’.
The Bill introduces a new (lower) threshold: a controller would be able to charge a fee or refuse the request where the request is ‘vexatious or excessive’. This revised threshold captures a wider set of unreasonable or disproportionate requests.
The burden to prove a request is vexatious or excessive remains on the controller and can be determined with regard to:
- the nature of the request;
- the relationship between the data subject and the controller;
- the resources available to the controller;
- the extent to which the request repeats a previous request made by the data subject to the controller;
- how long ago any previous request was made; and
- whether the request overlaps with other requests made by the data subject to the controller.
Helpfully, the Bill also provides the following examples of requests that may be vexatious, these include requests that are:
- intended to cause distress;
- not made in good faith; or
- an abuse of process.
Provided the controller can demonstrate that the request meets the above criteria they could then charge a (reasonable) fee or refuse the request. In effect a request will no longer be treated as ‘purpose blind’ – a controller can now acknowledge the context in which the request was made and use that as a factor in determining their response.
The right to complain
The current legislation provides that a data subject can make a complaint to the Commissioner where they believe the controller has infringed the UK GDPR. The Bill would require data subjects to raise their complaint with the data controller before approaching the Commissioner.
The Bill (clause 39) sets out the process for how data subjects would make complaints and how those complaints should be handled.
The controller would be expected to make the complaints process as straightforward as possible for the data subject (by for example providing a complaint form).
There are certain obligations on the controller once a complaint is received, they would have to:
- acknowledge receipt of the complaint within 30 days;
- take appropriate steps to respond to the complaint without undue delay; and
- inform the complainant of the outcome of the complaint.
The Bill sets out what would amount to taking ‘appropriate steps’ to respond to the complaint. The controller would be expected to make enquiries into the subject matter of the complaint, and if appropriate, inform the complainant about the progress on their complaint.
Data subjects can still make complaints to the Commissioner directly, however the Commissioner would likely dismiss a complaint on its face if:
- the data subject had not already raised the complaint with the controller;
- the controller is still considering the complaint; or
- the complaint is ‘vexatious or excessive’.
Lastly, – the Bill would allow the Secretary of State to make regulations requiring controllers to notify the Commissioner of the number of complaints they were receiving.
Key takeaways:
- The Bill would lower the threshold for when a controller can dismiss a data subject’s request or charge a fee for handling their request. It will be for the controller to show they were justified in dismissing a request, therefore a good understanding of what is meant by ‘vexatious or excessive’ is essential.
- The complaints process for data subjects would change under the Bill. We would see the burden of complaint handling shifting from the Commissioner to the controller. In this light controllers should be ready to put in place measures to facilitate the complaints process for data subjects and prepare their complaint handling procedures before the Bill is enacted.
In our next article we will look at what constitutes a recognised legitimate interest. You can read the last article on the purpose limitation of reusing data here.
If you need help with data subject rights, or to learn how our data protection team could assist you, please visit the Information Law and Data Protection homepage.