Share this content
31

GDPR Subject access request

Is every bit of data regarding a past client required

Didn't find your answer?

One past client has emailed a Subject Access Request. This requested all calls, emails and other correspondence. 

Is every single bit of data required to be sent to this person? Where the person was a director in a company do I have to exclude the other director's details?

This will obviously take a huge amount of time to compile. ICO say that no charge should be made unless an administrative cost is made if the request is 'manifestly unfounded or excessive'. Has anyone ever charged a administration fee for this?

 

Replies (31)

Please login or register to join the discussion.

By Moonbeam
24th Nov 2019 16:45

Have you spoken to anyone at ICO about this yet? It might be worth doing that. I can see that this is a can of worms.

Thanks (0)
avatar
By Brads.Kings
25th Nov 2019 07:31

I think it is narrower than the request implies. According to the EU:

GDPRPersonal Data
4 (1). Personal data are any information which are related to an identified or identifiable natural person. ... For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

Thanks (0)
Replying to Brads.Kings:
avatar
By WhichTyler
25th Nov 2019 10:07

Those are all examples of personal data, but not the extent of it. Correspondence referring to the individual probably fits the bill too.

Thanks (0)
avatar
By paul.benny
25th Nov 2019 08:26

To answer the point about other directors - that's their personal data and you should not be sharing it without their authority. This means that you should redact any data about other named persons.

Thanks (0)
avatar
By Michael Davies
25th Nov 2019 10:36

This is sheer madness.
I cannot wait to Jack this business in.

Thanks (0)
avatar
By kestrepo
25th Nov 2019 12:59

I would contact the person who made the request and ask them if there is something specific that they need or they are looking for - it might turn a weeks work into a five minute job!

Thanks (0)
Replying to kestrepo:
By ireallyshouldknowthisbut
25th Nov 2019 13:59

This. Unless its an ex-client deliberately being a PITA presumably there is something they are after.

Thanks (0)
avatar
By adam.arca
25th Nov 2019 13:07

I haven't inwardly digested the ICO guidance so could well be talking out of the rear end but two thoughts do immediately come to mind:

The ICO examples given of personal data are indeed discrete details which are indisputably information. There are no examples given of random correspondence being personal data and I would personally dispute that a letter does count as personal data. To say otherwise strains the definition of data beyond breaking point (IMHO).

And secondly, it is incumbent upon the client to retain any correspondence which you have sent to them: you are not there to be their free back-up service and, to do so, abuses the intent of GDPR (again, IMHO).

Thanks (0)
Replying to adam.arca:
avatar
By WhichTyler
25th Nov 2019 16:04

A name and a corporate email address clearly relates to a particular individual and is therefore personal data. However, the content of any email using those details will not automatically be personal data unless it includes information which reveals something about that individual, or has an impact on them (see the chapters on the meaning of ‘relates to’ and indirectly identifying individuals, below).

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

Thanks (1)
Replying to WhichTyler:
avatar
By adam.arca
25th Nov 2019 16:57

Thank you, WhichTyler.

That is (what I believe) I was saying, albeit not as well referenced as your reply!

Thanks (0)
Replying to adam.arca:
avatar
By paul.benny
25th Nov 2019 16:17

Sorry, Adam. You're wrong on both counts

If I write reference saying to a third party that Adam is clever/stupid, that correspondence most certainly is personal data to which GDPR gives you right of access. It's much more than using the advisor as a back-up.

Thanks (1)
Replying to paul.benny:
RedFive
By RedFive
25th Nov 2019 16:24

That's true and I agree with your example but as per my response saying SAR is about info he hasn't had, but that is about him.

But his request looks like he wants EVERY email/ call etc which I would push back on, as he has had those.

And no Mr Customer I have no emails where I referred to you that you were not dircectly copied in on. (or if I had done reference then yes I would release that)

Thanks (0)
Replying to RedFive:
avatar
By SXGuy
26th Nov 2019 08:48

Absolute rubbish. I take it you have never made a SAR before?

It matters not one jot whether the person requesting the information has already had it in the past, that's irrelevant. If you sent a SAR to your bank, do you think they refuse to send all copies of bank statements as you have had them before? no they do not.

Under the Data Protection Act 1984 and 1998, and including the right of subject access under these acts, you have the right to request any and all historical data in their possession which relates to you for which you are entitled to under section 7(1) of the Act.

This was later updated to the Data Protection Act 2018, and subsequent GDPR legislation which came in to force. But the original principles still apply.

Any and All data relating to you, whether its an email, a comment on your file, letters, anything.

I appreciate however that for a small business, this could be costly and time consuming, however their is also the provision to make a charge for the admin work, so it would make more sense to first accept the SAR and inform the person, that if there is anything specific they want, to please state, otherwise an admin charge will be applied before any and all information can be sent.

Thanks (1)
Replying to paul.benny:
avatar
By adam.arca
25th Nov 2019 17:05

Thanks, Paul, but I would beg to differ. On both counts.

If I provide that reference, then yes I agree that is probably personal data. What I was actually referring to, however, was the 99.99% of correspondence where say a name may be mentioned in passing but with no personal data inference intended (or inferred by the recipient), the likes of "Adam has agreed to do this and Paul will do that."

Nor have you provided any context in which a client could cite GDPR as a reason why I should hours trawling through correspondence which the client will already have received, regardless of whether you regard correspondence as potentially containing personal data.

Thanks (0)
Replying to adam.arca:
avatar
By adam.arca
25th Nov 2019 17:10

And whilst I think about it, isn't GDPR about personal data which you hold in some sort of "system"?

Has "hold" been defined for these purposes because, for me at least, the common sense definition of "hold" would be some data which is readily-accessible on my PMS and not a random comment on a letter stuffed away on a mouldering file I haven't seen in the last 10 years!

Thanks (0)
Replying to adam.arca:
avatar
By paul.benny
26th Nov 2019 07:58

GDPR refers to data processing, not holding personal data.

"Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it."

Taken from https://ico.org.uk/for-organisations/guide-to-data-protection/introducti...

Thanks (0)
Replying to adam.arca:
avatar
By paul.benny
25th Nov 2019 17:30

One of the pages linked by Which Tyler says

"Data can contain references to an identifiable individual, or be linked to them, but not ‘relate to’ them as it is not about that individual but is about another topic entirely. Depending on the circumstances, this data may or may not be personal data."

You're probably on safer grounds arguing that correspondence contains no personal data than it shouldn't be provided as part of a SAR because the subject has previously received the letter. That said, since a mailed letter contains name and address (as a minimum), it probably does qualify as personal data, even if the body is, say, a client newsletter.

As for a client citing GDPR as a reason for providing duplicate copies of correspondence received, that's the law. Whilst there are exemptions for excessive requests, the guidance says that a SAR is "not necessarily be excessive just because the individual … requested a large amount of information, even if you might find the request burdensome ". The guidance does go on to suggest clarifying the request as a means of reducing the effort, if the client wants everything , there's not much you can do about it on a first request.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

Thanks (1)
Replying to paul.benny:
avatar
By adam.arca
26th Nov 2019 12:53

OK, thanks Paul for your helpful amplifications.

I still don't agree that this is within the spirit of what GDPR was intended for, nor that this isn't unnecessarily burdensome as ICO promised us last year when GDPR was introduced.

I'm also of the opinion that if what you say is true, then that will soon become a scam for the lazy to not bother keeping any correspondence and making repeated access requests with impunity.

Thanks (0)
RedFive
By RedFive
25th Nov 2019 15:18

I would reply with the client personal detail as listed on my CRM system including UTR's / DOB etc with an explanation of why held (easy one liner) in line with ICO guidance.

As to the email / call list I would politely point out that as he was the recipient he would / should have a copy of all correspondence and therefore there is no need for you to provide. SAR's are for indiviuals to access data held about them that they haven't seen.

If he pushes back then send him a subject access request asking for all the emails and calls he made and or received from you. Then send it back to him.

I have no truck with idiots abusing a perfectly decent law in the hands of normal people.

As it happens I auto blind copy every email into my CRM system (Capsule CRM) so could print this with one click, but I wouldn't on principal.

Thanks (0)
Replying to RedFive:
avatar
By paul.benny
25th Nov 2019 16:28

Whilst you are right that an individual should have seen all correspondence addressed to him, there is no provision in GDPR to restrict information provided under a SAR to data that an individual has not previously seen.

Thanks (0)
Replying to RedFive:
avatar
By paul.benny
25th Nov 2019 16:36

Don't forget that GDPR gives a right of correction and a right of erasure.

If a client asks you to delete all of their personal data, you should either delete the lot or determine what you need to retain for your own compliance purposes. I started writing ex-client here but in fact that would also be true of current clients. (although clearly it's self-defeating to delete current years' data for a current client)

Thanks (0)
Replying to RedFive:
avatar
By johnhemming
25th Nov 2019 17:10

What you have to watch with SARs is that there is an enforcement process other than an application to court (which exists as well) which can be used and can end up being quite laborious.

I recently (2018) used these rules to obtain a copy of CCTV from Hilton Hotels that included me (in the reception of a hotel I was staying in). It took about 6 months and various threats of enforcement, but in the end they provided a complete copy of the CCTV. I may still sue them over breach of contract, but have enough legal cases going on at the moment and will wait until I have resolved some of the current ones.

It is worth working out what the client is trying to do, but this applies to anyone who is registered with the ICO. The client, of course, may not be registered with the ICO.

Thanks (0)
avatar
By hugogod
25th Nov 2019 18:23

Thank you for all your responses.
ICO were very useful when speaking to them.
GDPR does relate to personal data but apparently not to business information about that individual.
And yes any opinions of the client recorded in documents or log of calls made/received should apparently be disclosed with any reference to other individuals redacted.
A thick black redacting pen will be bought.

Thanks (0)
Replying to hugogod:
avatar
By WhichTyler
26th Nov 2019 08:37

hugogod wrote:

GDPR does relate to personal data but apparently not to business information about that individual.


Just to be clear on 'business information': information about the business (ie limited company) is not personal data.
Information about the individual within the business is personal data
Information about sole traders is personal data

In other words the 'person' in 'personal data' has to be a natural person as m'learned friends say...

Thanks (0)
avatar
By adam.arca
26th Nov 2019 13:01

OK, this whole thread has really peeved me, not least because many of you actually seem to think the access request is reasonable or at least not worth contesting.

This is what I have just googled off the ICO website:

"What is the meaning of ‘relates to’?
….
To decide whether or not data relates to an individual, you may need to consider:
the content of the data –
is it directly about the individual or their activities?;
the purpose you will process the data for; and
the results of or effects on the individual from processing the data.
…."

So, in my opinion, 99.9% of correspondence is (or should be) out of the equation.

If I write to "Mr A N Other" and use a valediction of "Dear A N," then the purpose of using that data is to write a letter and nothing else. I haven't "processed" anything (using a common sense, English dictionary definition of processed) and I haven't stored anything (again, using an everyday understanding of what that means).

Thanks (0)
Replying to adam.arca:
avatar
By paul.benny
28th Nov 2019 08:01

Why are you peeved that other people disagree with you?

As I've previously quoted (from the ICO website), "Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.". If your letter contains Mr Other's address as well as his name, it's personal data.

That may not be your "common sense, dictionary definition" interpretation. But I think you'll find it's the law.

Thanks (0)
Replying to paul.benny:
avatar
By adam.arca
05th Dec 2019 13:26

OK, maybe "peeved" was the wrong term. People are free to disagree with me as I talk complete rubbish at least as often as half sensible stuff.

My opinion (and you're completely free to have a different one, it won't change my respect for your various excellent postings) is that this seems to be a grey area where there is no clear guidance on a practical aspect (do we have to trawl through old paper records just because they contain a name and address) which probably wasn't considered in any depth when GDPR was introduced. My opinion is also that if, in the fullness of time, it is decided that we do have to so trawl, then that would for me undermine the good work which GDPR is there to establish by creating onerous and unreasonable demands on those keeping the records.

Today's posting below by Cardiff Accountant and the advice he received from ICO seems to me to be more in line with the way I understood GDPR to be than the way some other posters (including your good self) have represented it to be.

Thanks (0)
By penelope pitstop
28th Nov 2019 00:53

What sort of client is it? Individual, partnership, company?

And what is their underlying gripe? If an individual, was he/she a bit of a weirdo in past dealings?

Are they likely to fish out anything controversial? Or is it just going to waste your time?

Thanks (0)
avatar
By Maslins
28th Nov 2019 10:48

Personally I'd suggest you worry less about the finer details of the law and just think about the spirit of it.

Give him all the standing data you hold, and when it comes to correspondence, ask what particular things he wants. If he says "everything" (and assuming that would be a huge amount), I'd be inclined to either:
1) just send him some that you can readily get, or
2) say you don't think that's reasonable, but reiterate if there's any specifics you'll try to get them.

I imagine he could make a formal complaint to the ICO, but as a small business owner who's made a reasonable effort, I would hope they'd have sympathy with you rather than clobber you.

Thanks (0)
avatar
By CardiffAccountant
05th Dec 2019 09:17

I was involved with a similar situation a few years ago when a trustee of a charity.

I contacted the ICO and they were very helpful.

From what I can recall, any correspondence/telephone call that was made to the ex-client need not be provided. They have already had a copy/been involved with the conversation. If they cannot keep their own records, then that’s their problem.

Any correspondence when others are named, you either request authority to disclose or redact.

Other than that, just about everything may/will need to be provided.

One more point. The ICO said that it was up to us what to provide and not provide. It basically comes down to being able to justify your actions.

Hope this sort of helps.

Thanks (1)
Share this content