Skip to content
Unions 21
| Blog post

Aspects of Managing Data Protection Subject Access Requests

By Edward Cooper, Slater Gordon | 8 min

Under Data protection law members and other individuals can exercise certain rights against the union, as data controller, regarding their personal data , which includes the rights to be informed, to rectification, to erasure and importantly the right of access. The right most likely to be exercised is the right of access, commonly described as being exercised by a subject access request (SAR).

This article is not intended to be a comprehensive examination of that right but intends to address some common management issues that can arise in identifying a subject access request from a member, whether fee can be charged and whether it needs to be complied with.

How is a SAR recognised?

Whereas it is often the case that a request will explicitly state that it is a subject access request or refer to data protection law, an individual is not required to do this. It may be otherwise clear from the request that individual is exercising their right of access.

A request can be made both verbally and in writing and can be to any part of the union, including over the phone or by social media and does not have to be to a specific person or contact point (whatever the rules may say) . ICO guidance is that you should consider which of your staff needs specific training to identify a request, suggesting that particularly those who regularly interact with members and the public should be able to identify a subject

access request and know the next steps.

Not every request the union receives from an individual for a document containing their personal information is a subject access request. Some requests may simply be requests for documents the individual is otherwise entitled to from their case file.

Whereas you can provide for a standard (probably on-line) form by which somebody can make a subject access request, a subject access request is equally valid whether an individual uses that form or submits it by letter e-mail or verbally. Therefore use of a standard form cannot be made compulsory though there may be merit in inviting them to do so, as the form might assist in focussing the request.

Can the individual making the request be required to provide ID documentation?

As the ICO advise : “You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual”.

If the request is form a member then it may not be reasonable and proportionate to seek a copy of , say, their passport for ID purposes, but unless the requests follows ongoing correspondence with the member you might request their membership number.

It would be appropriate to seek appropriate ID documentation:

  1. if the request comes from a member from a different home or email address than contained on the unions records;

  2. when a member has similar identifying details to another member;

  3. there is any doubt as from whom the request comes.

Can you charge a fee?

The data protection legislation does not provide for a data controller to charge a fee for access in most cases.

There is however scope to charge a ’reasonable fee’ for the administrative costs of complying with a request if:

  • it is manifestly unfounded or excessive; or

  • an individual requests further copies of their data following a request.

You can refuse to comply with a manifestly unfounded or excessive request (about which see below).

The ICO provides guidance as to how to determine a reasonable fee, in the limited circumstances where you can charge a fee, and advises that it is good practice to establish an unbiased set of criteria for charging fees which explains ; the circumstances in which you charge a fee; your standard charges ; and how you calculate the fee.

If a fee can be charged and is charged then you do not need to comply with the request until you have received the fee.

How long do you have to respond?

The union will have one month to respond to a subject access request starting from the date that the request is received into the union. The deadlines are statutory, and the clock starts ticking instantly

  • You can extend the time to respond by a further two months if the request is: complex; or

  • you have received a number of requests from the individual – this can include other types of requests relating to individuals’ rights.

You should calculate the extension as three months from the original start date, i.e. the day you receive the request, fee or other requested information.

If you don’t respond on time the individual concerned can complain to the Information Commissioner and may also seek to enforce their rights by the courts.

Can you refuse to comply with a request?

There are some limited exemptions , and you can also refuse to comply if a SAR is

  • manifestly unfounded; or

  • manifestly excessive.

A request is manifestly unfounded if:

  1. the individual clearly has no intention of exercising their right of access; for instance by offering to withdraw on receipt of some form of benefit. This is may well not apply where the individual is making a claim against the union and offers to withdraw the request as part of the terms of settlement; it will depend on the circumstances;

  2. the request is malicious in intent ( such as making unsubstantiated allegations motivated by malice; systematically sending requests as part of campaign with the intention of creating disruption)

These circumstances are likely to be very rare and you may want to seek legal advice before refusing to respond to a request on this ground.

A request is manifestly excessive if obviously unreasonable , and disproportionate when balanced with the burden of the cost in dealing with it.

A request is not necessarily excessive just because the individual requests a large amount of information. You need to consider all the circumstances of the request and also consider making clear that you consider that the request may be excessive and asking the individual for more information to help you locate the information they want and whether you can make reasonable searches for the information. You would be on stronger ground refusing the request if despite having made it the individual making the request fails to provide the information requested.

If refusing on either ground you need to be able to demonstrate why both to the individual making the request and also, potentially , the ICO

SAR for communications by union on behalf of the member making the SAR

It is not uncommon that a member may make a SAR of their personal data in communications between (1) the union, and their officers (both local and national) and (2) a third party such as the member’s employer or former employer . A request may also be made of communications as well as between officers of the union.

Whereas those communications may be confidential, any duty of confidentiality would likely be owed to the member who is making the request and hence refusing to respond on grounds of confidentiality may well not be available.

A request might also be made of the communications between the union and their solicitors. Disclosure to the member may be exempted as being subject to legal professional privilege, but this will depend on whether the union is seeking advice for itself or on behalf of the member. That question will likely be determined by the retainer between the union and the lawyers in question applicable to the data in question.

Any request would also be limited to personal data where the union is the data controller. If any communications are undertaken in circumstances where the data controller is for instance the employer (for instance where the union representative undertakes their trade union duties on the email system of the employer) the union would not be able to comply with the requests in respect of those communications, and unless there was a data processing agreement between the union and employer, the member making the request might then seek access by an SAR direct to the employer ( and this might extend to personal data contained in communications between union representatives at that employer).

The information provided above does not, and is not intended to, constitute legal advice; instead, all information, content, and material is for general information purposes only. Readers should seek legal independent legal advice with respect to any particular legal matter. No reader should act or refrain from acting on the basis of information contained in this article without first seeking independent legal advice.

More ideas