Be ready for requests to access your company’s data

Businesses have become data repositories. It is unavoidable. All organisations - public, private and third sector - build up vast amounts of information, commercial, organisational and personal. It is crucial that business managers understand the significant obligations in terms of data protection and privacy, as well as heightened risks of cyber threat. 

Increasingly, organisations in all sectors are having to contend with more regular and complex statutory information requests for personal data of their employees or other individuals (data subject access requests or “DSARs”). 

For public authorities, and some private sector entities operating within the public sector or performing certain functions, have the additional burden of being subject to Freedom of Information legislation. Those bodies should have a full understanding of what information they hold and ensure robust processes are in place to respond to what are often broad requests for information. The Environmental Information Regulations place create similar obligations regarding environmental information.  

We have set out some of the key features of these statutory regimes, and what this means for organisations. These should be seen as headline points and specific advice should be sought on how to manage data and respond to a request to access it.

Data Subject Access Requests (“DSAR”)

Employees and other individuals have the right to access and receive a copy of their personal data held by an organisation that is a ‘data controller’. Individuals can ask for:

• Confirmation that you are processing their personal data;
• A copy of their personal data; and
• Other supplementary information (including the purpose of the processing and who you share the personal data with).

There are no formal requirements contained in the UK GDPR regime on how to make a ‘valid’ DSAR; it only needs to be clear that the individual is asking for their own personal data. So, businesses need to implement proper governance and structures to ensure requests are properly and swiftly identified. Once a request is received, an organisation must respond to the request within one calendar month, starting with the day the request is received. This can, however, be extended by a further two months should the request be particularly complex or should a high volume of personal data be discovered. 

An organisation cannot charge a fee for responding to a DSAR, unless the request is “manifestly unfounded or excessive”, or if the employee asks for further copies of the same data. Whether a request is manifestly unfounded or excessive will depend on the circumstances, but it is not intended to be used lightly and does not provide an easy way to avoid dealing with these requests. As many organisations know from experience, DSARs are frequently made strategically in challenging situations, such as during redundancy processes, in response to an employee disciplinary or grievance, actual or threatened litigation, complaints and employment tribunals, which can prove difficult to manage.

Organisations need to have robust processes in place to identify requests, and to conduct “reasonable and proportionate” searches over what is often vast amounts of electronic data. Challenges can arise where vast volumes of data are held, when the request is particularly wide-ranging, and when internal file management systems are not sophisticated enough to facilitate targeted searches. Once potentially relevant material has been identified, manual review will be required to determine whether any of the information is out of scope, or should be withheld because of an exemption (e.g. where the information contains personal data of third parties).

Where a data subject is unhappy about the way in which the controller had handled their request, they may raise a complaint with the UK’s data regulator - the Information Commissioner’s Office. From next year, employees will also be able to make a complaint to an organisation about how their DSAR has been handled – please see our recent blog on the right to complain under the Data (Use and Access) Act.

Experts from our employment and data privacy teams can support you with DSAR challenges. For more information, please see our dedicated Data Subject Access Requests | Burness Paull page.

Freedom of Information (“FOI”) and Environmental Information Regulations (“EIR”)

The Freedom of Information (Scotland) Act 2002 (“FOISA”) applies to Scottish public authorities and organisations that are wholly owned by these public authorities. The Scottish Information Commissioner has published a list of the Scottish public authorities here. The Environmental Information (Scotland) Regulations 2004 have a broader definition and can apply to a range of bodies, which are not necessarily considered as public authorities. Unfortunately, there is no definitive list of bodies covered by the EIRs, so there may be some work in understanding whether the recipient of the request falls under the legislation. 

FOISA entitles any person or body to seek and receive information from a Scottish public authority that it holds, subject to certain exemptions. Authorities are also under a duty to provide reasonable advice and assistance to the applicant. This means that if the request is unclear, the authority cannot simply refuse to comply with it; it is expected to work with the applicant to clarify the request (though it is not required to respond to the request until that clarification is received). Where the authority does not hold the information, but it knows who does, it should signpost the individual to the appropriate authority. 

FOI requests must be made in writing, include the real name of the requester, and provide contact details to allow the public authority to provide a response. It is important to bear in mind that a valid request:

• does not need to refer to FOI;
• can be made from outside of Scotland;
• can be made by individuals or corporate bodies;
• can be made on behalf of another person; and
• does not need to explain why the applicant wants the information.

Public authorities must provide a response promptly and within 20 working days, which excludes weekends and official bank holidays. The first working day is the day after the request is received. The authority can charge a modest fee for responding to a FOISA request, subject to limited prescribed by the legislation.   

Public authorities should:

• ensure staff are trained to recognise a FOISA request and direct it appropriately internally;
• have procedures in place which support “reasonable and proportionate” searches;
• keep records of the search process in the event of any review/appeal;
• be mindful of the statutory deadline; and
• advise third parties that information which they share with the authority may be required to be disclosed as part of their duty to comply with FOISA.

While there is a general presumption in favour of disclosure, certain information is protected from disclosure by way of exemption. These should be used as restrictively as possible. Most of the exemptions under FOISA are subject to the public interest test, meaning that, even where the exemption applies, disclosure is required where the public interest outweighs the interest in withholding the information. Exemptions cover areas such as prejudice to commercial interests, legal privilege, and the effective conduct of public affairs. There are a few absolute exemptions, such as where disclosure is prohibited by law or would constitute contempt of court, and some cases involve personal data. Where the exemption is absolute, the public interest test does not apply.  

EIR requests relate to environmental information. What constitutes “environmental information” should be interpreted fairly broadly. The Scottish Information Commissioner has held that this includes matters such as roads, maintenance, noise, air pollution, and development projects. Like FOI requests, there is an obligation to respond in 20 working days, however this time can be extended if the request is complex or voluminous. There are similar, but not identical exemptions which require information to be withheld. Crucially, all exemptions are subject to a public interest test, making disclosure a more nuanced assessment. 

It can be difficult to differentiate between an FOI and EIR request, and some requests might invoke both Acts. Authorities must be confident in recognising requests and ensuring that they are handled swiftly under the appropriate regime. 

Where the applicant is unhappy with the authority’s response to their request, they have the right to request a review by the authority, after which point they may raise a complaint with the Scottish Information Commissioner. This is different from the complaint route for DSARs, as the legislation governing DSARs is UK-wide.

Our public law experts are on hand to assist at any stage of a statutory information request, from receipt, through to disclosure, requests for reviews, and complaints to the Scottish and UK Information Commissioners. If you need support, please get in touch.

Our market leading Disputes Group brings together experts in contentious matters from the firm’s commercial litigation, health & safety, corporate crime, employment & immigration, construction & projects, public law & regulatory, planning & environment, and family law teams. 

Key stats for our Disputes Group: 

• One of the largest disputes teams in Scotland
• Acting in the most high-profile, high value and business critical matters before the Scottish courts  
• Acting in litigation valued in the region of £500M  
• 30 partners
• Over 100 fee earners
• Ranked in 32 practice areas in Chambers UK and Legal 500
• 60 individuals ranked in Chambers UK and Legal 500

Related News, Insights & Events