Next time you’re not happy with your local supermarket – maybe the staff were rude that day – don’t bother complaining, that’s so yesterday! Why not get your own back and make a Subject Access Request, sit back and imagine the chaos you may have caused?
The General Data Protection Regulation makes a prevision for data subjects to access any personal data you as an organisation may hold on them. Personal data is information that can identify them, such as their name, address, an identification number, location data or even an online identifier such as their IP address. You are obliged, upon request to give a copy of that data to anyone that asks providing you can identify them. This might be a challenge in many ways because the person in question may not even call this a Subject Access Request, it’s up to you to interpret the request and act accordingly.
Subject Access also relates to CCTV footage. So whilst you were in the supermarket fruit aisle your images were probably being recorded and this is also your personal data. You can request a copy of images taken of you. This will present some issues for all of us who may have installed CCTV for the ‘Prevention and detection of crime’ for example. You will need the ability to recall time stamped footage taken on a particular day, identify the subject and ensure other people photographed at the same time are unidentifiable or pixilated. Then find an effective way to share that data.
Subject Access is much more likely to relate to basic personal information such as name address and telephone number. However, you will need to be able to demonstrate to the ICO should they ever want to know, that you have a procedure to deal with all types of data upon request including CCTV. It’s a subject’s right so you must comply and you will have one month to do so.
Your Data Controller will be responsible for this and their contact details should be clearly available on your website. Subject requests will impact on other rights such as the right to be forgotten, the right of rectification, restriction and portability. This is a complex area of the legislation where every organisation will need to have a strong policy and procedure framework.
So to prove my point I’ve just called my local Tesco store. How would they deal with my request? I was told that I would need to go to the Police, who would be able to help me with my enquiry! This goes to show that it’s not just small organisations that may struggle. Even the biggest organisations need to think carefully about updating their procedures and training their staff in Subject Access Requests.
If you have a question about data protection and GDPR that you would like answered here:ask Mark Burnett
Mark can’t undertake to answer all questions received here, but he will cover the most useful and common questions he receives.
4,173 total views, 1 views today