Subject access requests - common pitfalls & issues (& how to avoid them)
In October 2020, the Information Commissioner’s Office (ICO) issued new statutory guidance on dealing with subject access requests (SARs). This (80 page!) supplement to existing information (Right of access | ICO) is timely. Although driven by a few factors, a growth in claims firms has been a major contributor to an increase in the volume of SARs being received by pension trustees and scheme administrators.
What is a SAR?
- Under UK General Data Protection Regulation (GDPR), individuals have a fundamental right to access & receive a copy of their personal data & other supplementary information. This right is known as a ‘subject access request’.
- Individuals can make a SAR verbally, in writing, via social media or an online portal or through a third party, such as a claims management firm.
- SARs can be made to the data controller (trustees, employer) or data processor (scheme administrator).
- Trustees as data controllers are legally responsible for responding to a SAR within 30 days of a valid request (may be extended by 2 months if the request is ‘complex’).
- A fee cannot be charged for providing the information.
- Refusal to provide the information requested can only be made if an exemption or restriction applies or the request is ‘manifestly unfounded’ or ‘excessive’.
What data can be released?
An individual is generally only entitled to their own personal data. Before responding to a SAR, you must determine:
- if the request is a valid one (ID verification required & authorisation provided where a third party is involved)
- whether the information held is ‘personal data’ (identifies a living person) &, if so, who it relates to (the data subject)
What are the common pitfalls & issues?
- Data controller isn’t promptly informed - sometimes the pension trustees only learn about the SAR either on or close to the 30-day deadline.
- Data not documents - when full documentation is released (eg a full set of minutes) because the data subject is referenced rather than just an extract of the data relating to the member. The entitlement under GDPR is to personal data, not documents.
- Relevant personal data – when a file of information is provided to the pension trustees for checking prior to issue but other members’ data shown within is not redacted.
- Health data - this should not be released in response to a SAR without considering if the exemptions or restrictions under the GDPR apply. Often health data is included within a member’s file without thought - eg where a member has been refused early retirement on the grounds of ill-health and the medical details obtained and reasons for a refusal are released.
- Misunderstanding the request #1 - where a request for personal information isn’t treated as a SAR but as a generic enquiry for scheme information & responded to accordingly. This is often true with requests from claims management firms. Our experience shows they ask for a long list of scheme & member information, which may be mistaken for a generic enquiry.
- Misunderstanding the request #2 - where a member’s file has been released in response to a generic enquiry. A member doesn’t have to specifically state their request is a SAR but, if it is ambiguous, the pension trustees or administrator should seek clarification of what’s required.
- Principal contact away – we’ve seen examples where a SAR is received but the recipient is away & the request isn’t passed on to be actioned. This increases the risk of not responding within 30 days.
- Claims firms - A disgruntled member or former employee may use a claims company as the first step to find out who they can make a complaint against (trustee, administrator, actuary, employer or IFA who advised them). Take care to ensure only relevant data is provided.
The GDPR and ICO’s new guidance clarifies that controllers (not processors) are responsible for complying with SARs. Processors have their own obligations, which include helping the controller to respond.
As professional trustees, we work closely with scheme advisers to avoid these common issues by ensuring both the controller and processor are clear about their roles, responsibilities and timescales to respond. In part this comes down to training, but mostly it’s about having contractual arrangements in place that set out who will deal with a SAR and when.
Steps to avoid common pitfalls & issues
- The processor should promptly inform the controller when a SAR is received - ideally on the same day of receipt.
- Check the SAR is valid and the scope of data is understood. If not, seek further clarification.
- Ensure the SAR can be responded to within 30 days and isn’t caught by any exemptions or restrictions or isn’t ‘unfounded’ or ‘excessive’.
- Provide only the personal data requested and not documentation unless relevant.
- Only release data or scheme information with the data controller’s agreement.
- Make sure a SAR isn’t overlooked - set up ‘out of office’ responses to include wording advising a SAR should be forwarded to a named contact.
By following guidance and having appropriate policies and procedures in place, pension trustees and scheme advisers should be well equipped to deal with SARs and avoid these common mistakes.
Back to opinions