Covid-19 – GDPR Series – Part 3 – Data Access Requests during the crisis

This note is part of a series that the lawyers of Reddy Charlton will issue on the major legal, personal and business issues that will confront us all during the Covid-19 crisis.

As the two year anniversary of the introduction of the GDPR approaches (25 May) it is important to refresh some of the important measures introduced and consider them in the current Covid-19 related business environment. In this article, we look at Data Access Requests (DARs) and identify some practical advice for those considering a DAR and those organisations that have to respond to a DAR.

What are the Data Access Request requirements?

The GDPR provides a right to individuals to receive and view their personal data by way of DAR to the organisation that holds such personal data. This request can be either verbal or in writing. Organisations have a one month time period to respond to a DAR. This may be extended by a further two months where necessary, taking into account the complexity and number of the access requests. The GDPR requires that the information provided to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Are the GDPR timelines relaxed during the Covid-19 crisis?

In short, no, as the timelines are set down in law. These time periods will continue to apply despite the significant strain COVID-19 has placed on a businesses’ ability to manage them. However, the Data Protection Commissioner (DPC) has flagged in its helpful note that they will be adopting a proportionate regulatory response (https://dataprotection.ie/en/covid-19-and-subject-access-requests).

What are the implications for Data Subjects?

Individuals do need to bear in mind that during this Covid-19 crisis, organisations have had to adapt their work flows, work practices and priorities to mitigate the effects of the crisis. Some organisations (such as healthcare providers, government departments) have had to divert resources to their frontline service of combating and containing the virus. This may have a negative impact on their ability to respond to DARs in a timely manner. Individuals who are seeking access to their data are urged by the DPC to bear this in mind and also to be as specific as possible in their DAR.

What are the implications for organisations who receive DARs

The DPC has recognised that organisations’ ability to respond to DARs may be significantly impaired as many close temporarily, implement new remote working arrangements and direct resources to priority work areas. Where organisations can respond they should do so without delay.

What is the practical advice for responding to a DAR during this crisis?

• Acknowledge the DAR
Reply in quick order, acknowledging the safe receipt of the DAR. Identify at this early stage that the DAR will be processed. If it is the case that your processing is negatively impacted by Covid-19 identify this to the Data Subject.

• Estimate & Communicate
Have your staff conduct an estimate of the DAR and communicate with the Data Subject your anticipated processing of the case. Clearly communicate with them, explaining the reasons and seek their understanding of this.

• Provide a staged reply
Ideally, an organisation will respond in full to a DAR. However, this may not be possible and if this is the case reply to the DAR in identifiable stages. These stages may be on the basis of time (a particular period) or may be a type of storage such as digital records (rather than physical). This may be particularly relevant where remote working means that you only have immediate access to these digital records. It is very important to communicate clearly with the individual that you will be responding in stages.

• Complete the DAR when possible
If replying in stages, it is critical that the full DAR be responded to when possible. When you can provide the data subject with the full response, you should do so without delay. You must ensure that any access request is actioned as soon as possible.

• Maintain clear records
In any DAR it is very important to keep clear and accurate notes of how the request was responded to. This applies even more so in circumstances where your response is hindered by such a situation as Covid-19 restrictions. Where delays are unavoidable make sure you keep a record of the reasons for the delay, along with all correspondence with the data subject.

How will the DPC manage complaints it receives about a poor response to a DAR?

While the time periods mandated by the GDPR cannot be relaxed, the DPC will assess any complaints made based on all the relevant facts, including extenuating circumstances caused by Covid-19.

How can Reddy Charlton help?

During this Covid-19 crisis, Reddy Charlton Solicitors are eager to support, encourage and guide your business. If you have any queries or seek further information on the CCAS or any other area of construction or commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie