Framework Agreements: the customer contract model for technology service providers
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
One key right for individuals under the existing data protection regime is the right to make a subject access request (SAR) to a data controller and to receive in response, amongst other things, information about the basis upon which their data is being processed, who their data is being shared with, how long it will be kept and in addition - subject to any exemptions or restrictions applicable - a copy of their personal data. Although an important right for individuals, responding to SARs can be a time consuming and resource intensive process for data controllers. In recognition of this, the consultation paper puts forward a number of ways that might limit the ‘burden’ on responding to SARs.
One proposal is for the introduction of a ‘small nominal fee’ for processing subject access requests. Under the pre GDPR data protection regime, data controllers could charge a fee of £10 for responding to SARs (although in practice many did not) and the Government seeks views on the re-introduction of such a fee and on a what a reasonable level of fee would be. It seems to us that, unless the fee is set at an unreasonably high level, it is in practice unlikely to deter applicants from making SARs. The consultation paper does not attempt to model the likely impact of the introduction of a fee and this is picked up in the ICO’s response to the consultation – “In our view a fuller assessment is needed to understand the implications of introducing a nominal fee, which has potentially wide-ranging impact on people. This will ensure that any change is not disproportionate.”
A second proposal, drawing on the Freedom of Information regime, is for the introduction of a costs limit for dealing with SARs. Under the FOIA there is a cost limit of £600 for central government and £450 for local government for complying with FOI requests. If the public body considers that dealing with a request will exceed that limit it can either refuse to deal with the request or offer to do so on the basis that the cost of compliance is met by the requestor. However, in calculating whether the cost limit will be met (i) public bodies apply a staff time rate of £25 per hour (so, in the case of central government bodies, 18 staff hours) and (ii) the cost limit only applies to finding/retrieving information and not to determining whether any exemptions that apply. In practice, our experience that the bulk of time spent in responding to SARS is not spent identifying and retrieving information falling within scope - keyword searches of relevant databases can be done very quickly – but rather in reviewing that information and considering the applicability of exemptions or the exclusion of third party data. So, unless there is to a departure from the way this is approached under FOIA, again the change may be likely to make little real difference. An additional factor, which is not addressed in the consultation paper but which is highlighted in the ICO response to the consultation, is that under FOIA, a person seeking information can complain to the ICO about a refusal based on cost limits and, if dissatisfied with ICO’s response, appeal to the First Tier Tribunal. There is no equivalent right of appeal under the data protection legislation and, as the ICO suggest, there should be “further detailed consideration about how safeguards will work in practice, including how any rights of appeal may need to be amended and how potential equality issues will be addressed”.
The third proposal, again drawing on the Freedom of Information regime, is to expand the existing “manifestly unfounded or excessive” ground for refusing to comply with a SAR. It is said in the consultation paper that the Government is concerned that this imposes a high bar for refusal. What is proposed is to apply a test of ‘vexatiousness’ as a ground of refusal. That is currently a ground of refusal under the FOIA regime and the ICO’s guidance on its application is whether the request for information is likely to “cause a disproportionate or unjustifiable level of distress, disruption or irritation”. Yet again, the consultation paper contains no modelling of what the impact of such a change might be, nor does it even give any examples of the kind of SAR that might be considered vexatious. In light of the importance of the right of access to personal data – recognised in the consultation paper as a “fundamental” data protection right and a “critical transparency mechanism” – it seems highly unlikely that any but a tiny number of SARs would ever meet the “vexatious” threshold.
In conclusion, the changes contemplated in the consultation paper may be unlikely to make very much practical difference; and, are unlikely in any significant way to alleviate the perceived burden on data controllers in responding to SARs. That is perhaps not surprising – any significant restriction on the right of access would undermine what is accepted as a fundamental right and would highly relevant to the EU’s assessment, which is the basis upon which it has made the adequacy decisions for the United Kingdom (which allow for the free flow of data from the EU to the UK), that the UK’s data protection laws provide an essentially equivalent protection to that guaranteed under EU law.
For further information on the issues raised in this blog, please contact Adam Chapman in our Public Law team.
Adam joined Kingsley Napley in January 2010 as a partner in the Public Law team. He has nearly 30 years experience as a public lawyer and previously spent most of his career in central government, working at the Treasury Solicitor’s Department and at the Attorney General’s Office.
Skip to content Home About Us Insights Services Contact Accessibility