Data Subject Access Requests Guidance Note

Introduction and general information

Statutory data protection duties apply to solicitors, in exactly the same manner as they apply to other professionals, individuals and companies processing personal data.

This Guidance Note provides best practice guidance for solicitors on how to handle access requests which they may receive under data protection legislation.


The relevant statutes are the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 together with related statutory instruments.


The purpose of this Guidance Note is to provide recommendations as to good practice on how solicitors should deal with DSARs. This Note does not constitute a legal interpretation of the legislation and is not legal advice. Because the assessment of whether a right to access data arises will be different in every circumstance, this Guidance Note will not be applicable as best practice to every possible scenario of a DSAR.


Where reference is made in this Guidance Note to a “controller”, it can be taken to mean the solicitor and where reference is made to a “data subject”, it is a reference to the person who has placed a data access request with a solicitor. Some solicitors may be “processors” rather than controllers and, in these circumstances, the solicitor may be bound in how it responds to such requests by the data processing agreement with the controller.

This guidance relates to the solicitor as “controller” scenario. 


This Guidance Note comprises a series of questions for consideration by a solicitor when processing a data subject access request. Solicitors may find it helpful to document their thought process while working through these questions so as to determine the manner in which they will deal with the request. A well-documented step-by-step process can then be referenced by the solicitor in communications with the person who has requested access, when either explaining the basis upon which access may be provided or if refusing access.


Use the Law Society’s DSAR Checklist to ensure you complete all of the steps involved in handling a data protection access request and have a note of the reasons for refusing access.


Where the data subject making the request is not a client, it is not advisable to open a new file referenced under the data subject’s name simply for the purposes of compiling all data material you have in relation to that person in one place. In such circumstances, a file on general data access requests by non-clients should be opened.

 

How to deal with data access requests

Solicitors occasionally receive data access requests under data protection legislation. More often than not, these requests come from clients or employees of a firm. On very rare occasions they can arise from non-clients seeking to obtain data in relation to them which you may hold on client files.


As a starting point, solicitors should approach a data access request by, firstly, familiarising themselves with the statutory right. The right of access to data is contained in Article 15 of GDPR. In broad terms, it conveys a right on individuals to request that a controller provide information relating to -

  • Whether or not personal data regarding the data subject is being processed;
  • The purpose of the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipient to whom the personal data has been or will be disclosed, including recipients in third countries and international organisations;
  • The retention period or the criteria used to identify the retention period;
  • The existence of the right to rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • The right to lodge a complaint with the supervisory authority;
  • Where the personal data is not collected from the data subject, any available information as to its source;
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject;
  • The safeguards in place relating to transfers to third countries or international organisations, if applicable; and
  • A copy of the personal data undergoing processing.

 

How to approach a data subject access request within the first few days

Once a solicitor has familiarised themselves with the statutory imperatives of the right of access and the accompanying statutory exemptions, the following questions can be considered and dealt with in turn.


The GDPR does not specify that a request must be in writing and therefore it may be made orally or in writing. Firms should consider their procedure for logging an oral request to ensure that it is not overlooked. Solicitors should provide means for requests to be made electronically especially where personal data is processed electronically (Recital 59 GDPR).

The data subject does not have to specify the legal ground upon which they are making their request.

It is advisable that, once a data access request has been received, all future communications with the person who has made the access request be in writing (such as by email).


In most cases, it is no longer permitted to charge a fee to the data subject.

The circumstances where it is permissible to charge a fee is in relation to further copies of personal data requested by data subjects after the provision of the initial copy. This fee must be reasonable and based on the administrative costs (Article 15(3) GDPR). In addition, there is a right to charge a reasonable fee when complying with a request that is manifestly unfounded or excessive in nature, again having regard to the administrative costs (Article 12(5)).


A solicitor must satisfy themselves that the person requesting the information is the person they claim to be. If the solicitor can demonstrate that it is not in a position to identify the data subject, it may refuse to act on the data access request (Article 12(2) GDPR). Article 12(6) GDPR permits a solicitor to require the person making the data access request to supply them with information which is reasonably required in order to satisfy themselves as to the identity of the individual. Face-to-face photographic verification of identity may be required relying on either a passport or a driver’s licence. The solicitor may consider documenting that they have satisfied themselves as to the identity of the data subject and by the method (example: viewed original passport and verified identity in face-to-face meeting at [time] on [date] at our offices), where it is felt that holding a copy of the passport or driver’s licence would be excessive processing. Where the data subject does not wish to allow a copy to be taken, this should be accommodated unless there are specific circumstances which require another approach. If the person is unable to attend the solicitor’s office, the solicitor can request that the person furnish a certified copy of their passport or driving licence so their identity can be verified. Even when a request is received from a client whose identity has already been verified, perhaps as part of your anti-money laundering customer due diligence or simply in accordance with the Society’s best practice advice, a solicitor should ensure that the person making the data access request is the person they claim to be.


Article 12(3) of GDPR requires solicitors to comply with a data access request “without undue delay” and “in any event within one month” of the request. If a solicitor decides to follow best practice advice and satisfy themselves by reference to photographic identification evidence that the person making the request is the person they claim to be, then there may be a ground for stating that time does not begin to run until the person making the request has satisfied the solicitor as to their identification (note: this is not expressly stated in the GDPR). It is important to notify the data subject in writing as early as possible, should you intend to require identification verification.

It is possible to extend the period by two months where necessary, taking into account the complexity and number of requests but the solicitor must tell the data subject if the response time is to be extended within one month of receiving the data access request and provide reasons (Article 12(3) GDPR).


On receipt of a data access request, you should promptly write to the data subject along the following lines:

  • acknowledge receipt of their oral request, letter, email or fax
  • state the date on which their letter or email was received by your office
  • suggest a date and time for the data subject to attend your office so that you can verify their identity as the person they claim to be and note that, should they not be in a position to attend on the date and time suggested, that they might contact your office in writing suggesting an alternative date for verification
  • inform the data subject that the statutory timeline of “without undue delay and within one month” in which you have to comply with a request may be delayed by their failure to verify their identity (provided this is required by the solicitor).

 

How to process the data access request

When the initial stages of the request have been handled by the solicitor, the actual processing of the request can begin. A solicitor can process a data access request by answering the following questions in turn by relying on the logic applied to provide access, to provide access to redacted materials or to refuse access entirely. Even where the end result may be that a data subject may be refused access to data, or there may be no data held by the solicitor relating to them, it is important to be able to explain that the following steps have been completed to both the data subject and, if a complaint is made by the data subject, to the Data Protection Commission or the court.


The majority of data access requests received by solicitors emanate from clients or employees. Very occasionally, a data access request may arise from a third-party. Where data access requests arise from clients, the main focus will be establishing what material constitutes “personal data” covered by the legislation. When the access request arises from non-clients (including employees), the question of whether the material is subject to privilege will be of particular concern. Irrespective of whether the request arises from a client or non-client, it is advisable that a solicitor consider all of the following questions and document their thought process throughout.


The manner in which you conduct the search for data is very important. A distinction is drawn by the Data Protection Acts between automated and manual data.

How to conduct a search of your electronic data?

Where the data is stored electronically, it is automated data and, as such, it is subject to a DSAR. So, a solicitor, in the first instance, should ascertain whether they hold automated data in relation to the person making the access request, by conducting an electronic search of all electronic files held in a professional capacity by the practice (i.e. not personal files), for references to the name of the person making the personal data access request. The search results then comprise the automated files which should be reviewed further by the solicitor to ascertain whether a legitimate right of access exists. Practitioners may find it useful to print the findings of their electronic search for future reference.

How to conduct a search of your manual filing system?

Solicitors should be particularly careful when conducting a search for manual data held in relation to a person who has made a data access request. In some circumstances, access to all manual data may not be permitted if it is not information that has been recorded as part of the practitioner’s filing system. Consequently, it is important to have a procedure in place when gathering manual data so as to ensure that the results of the search will fall within the meaning of “manual data” and “filing system”. In this way, a solicitor can ensure that access is only provided to material explicitly covered by the legislation.

In this regard, solicitors should, first, have regard to the statutory definitions of “manual data” and “filing system”. “Manual data” means “personal data which form part of a filing system or are intended to form part of a filing system. “Filing system” is defined as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis”. An example of manual data forming part of a filing system is a file with the individual’s name on the front of the file.

Where an access request is made by a client, it will be likely that their file will be titled with their name and will, therefore, be part of a filing system. However, solicitors should pay particular attention to the manner in which they search for manual data where a request is received from a non-client as it may be possible that their name will not form part of their filing system. 


Article 15(4) of the GDPR states that the right to obtain a copy of the data shall not adversely affect the rights and freedoms of others. Practitioners should bear in mind that a very small set of information can in some circumstances identify an individual (a study by computer scientist Latanya Sweeney in 2000 showed that 87% of the US population can be identified by date of birth, zip code and gender). The utmost care should be taken in deciding whether or not to provide information or in redacting relevant details relating to other persons.


The type and categories of data to which a person can seek to have access is very broad. The meaning of “personal data” is important in ascertaining the data which a person can access. “Personal data” is defined very widely under the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.


There are a number of exemptions to the right of access. Please refer to s.60 of the Data Protection Act 2018 for a list of exemptions as well as s.162 (Legal Privilege). Examples include:

  • where the data consists of a confidential expression of opinion about the requester; and
  • where the data is covered by legal professional privilege.

Privileged communications

Of particular interest to solicitors is the exemption in relation to privileged communications contained in s.162 of the Data Protection Act 2018. It goes without saying that the privilege exemption will not be available in relation to access requests made by clients, as privilege is owned by the client and not the solicitor and, as a consequence, the issue should only arise in relation to access request made by non-clients.


On completion of the processing of the data access request, a solicitor should write to the person making the request informing them of the outcome of the process, without undue delay and within the one month statutory time-frame (or the extended period if applicable), along the following lines:

  • If personal data is held in relation to the data subject and the solicitor has decided that the data subject is entitled to access the data, then the solicitor can satisfy the data access request by providing the data subject with a copy of this data (in electronic form if the request was received electronically or any other means as requested by the data subject) as well as the information listed in Article 15 (GDPR).
  • If no data at all is held in relation to the data subject, then the solicitor should inform the data subject of the type of searches conducted and the failure of those searches.
  • If the solicitor determines that the request is (i) manifestly unfounded or (ii) excessive in nature having regard to the number of requests made by the data subject to the controller, this should be communicated to the data subject together with the reasons and advising them that they have the right to lodge a complaint with the Data Protection Commission or seek judicial remedy.
  • If the process identifies that data is held in relation to the data subject but the solicitor determines that the data subject does not have a right to access this data under the legislation, the solicitor should outline the reasons why the solicitor believes that the data subject should not be allowed to access the data and should also provide information relating to the right to lodge a complaint with the Data Protection Commissioner to seek judicial remedy.

Enforcement

Broad ranging powers are conferred on the Data Protection Commission in relation to enforcement of the GDPR and the Data Protection Act2018 and are detailed in Part 6 of the Data Protection Act 2018. The Commission has the power to conduct investigations and issue enforcement notices on foot of a complaint by a data subject. The data subject will also have the right to take an action directly against a controller where they consider that their rights have been infringed (s.128 Data Protection Act 2018).

Further information

Please visit the  for further information.