Mishcon de Reya page structure
Site header
Main menu
Main content section

Subject access - where do the limits lie?

Posted on 2 September 2019

Subject access - where do the limits lie?

The subject access request (SAR) right under data protection law is one which has existed in the UK since 1984. In the main, it currently emanates from Article 15 of the General Data Protection Regulation (GDPR). Although SARs have been able to be made for more than three decades, the right, under GDPR, has simultaneously become more recognised by data subjects, and can now be made without charge. This has, understandably, led both to an increase in the number of SARs made, and to a concern from many about the organisational costs and other strains of dealing with them. For those in the recruitment sector, there are certain points to bear in mind.

It is important to remember that the exercise of the SAR right is an expression of a fundamental right under the Charter of Fundamental Rights of the European Union but also to appreciate what the basis for the right is, and that there are exemptions to the obligation to comply with it. Although it is often said that the right is "motive blind", GDPR also says that the exercise of it is "in order to be aware of, and verify, the lawfulness of the processing". A SAR which expressly and solely says, for instance, that its purpose is to frustrate, or to bring proceedings, may not be a proper exercise of the right.

Prior to dealing substantively with a SAR, an organisation should ensure that it is from who it purports to be from: GDPR provides that, where a controller has reasonable doubts concerning the identity of the applicant, it may request additional information as confirmation. Furthermore, at least in cases where an organisation processes a large quantity of information concerning the applicant, it should be able to request that they specify the information to which the request relates.

Crucially, the right relates to "personal data" processed by a controller. GDPR requires certain particulars of information to be given to the requester, and that a copy of the data undergoing processing be provided. Information which is not "personal data" has no relevance, and there are no rights relating to such information under GDPR. "Personal data" means "any information relating to an identified or identifiable natural person". As far back as 2003 the Court of Appeal decided that “Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject”.  Although there has been criticism of this judgment, and clarification (in a decision approving the Information Commissioner’s then guidance which said “It is important to remember that it is not always necessary to consider ‘biographical significance’ to determine whether data is personal data.  In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual”), it remains good law. It is necessary, therefore, for organisations that receive a SAR to assess which information they are processing is, and isn't, "personal data" of the applicant.

Additionally, there are circumstances where there is no obligation to comply with a SAR. Exemptions within the GDPR itself are broadly limited to two examples. The first is where requests are "manifestly unfounded or excessive", and the second is an exemption to a data subject's right to obtain a copy of their data, and applies where doing so would adversely affect the rights and freedoms of others. However, GDPR allows member states to legislate for further restrictions, and the Data Protection Act 2018 contains a number of exemptions in the recruitment field including relating to personal data processed for the purpose of the prevention or detection of crime, for immigration control, for certain regulatory purposes, for management planning and forecasting, and for confidential references.

Although failure to comply with GDPR has the potential to attract regulatory sanctions (including fines), and legal claims, the most serious of these will be reserved for the most serious and egregious infringements. And as yet, no fines have been imposed by the UK Information Commissioner (although this is almost certain to change).

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else