SUBJECT ACCESS REQUESTS
Branches will be aware of the introduction of General Data Protection Act 2018 (GDPR) / Data Protection Act 2018 (DPA). This legislation applies to the CWU at all levels, including Branch, Region and National (HQ).
One aspect of this legislation is that individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’.
Subject access requests received by the CWU will normally be from CWU members or ex-members, but can also be from other individuals the CWU may have had dealings with.
The legislation states that an organisation should “Respond without delay and within one month of receipt of the request.” The legislation also says that organisations should perform a reasonable search for the requested information. It also states that organisations can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive, but these exemptions will apply in only very limited cases.
The Information Commissioner’s Office (ICO) is the regulator tasked with GDPR/DPA enforcement and has already issued many enforcement orders and levied hundreds of fines against UK organisations, the vast majority of which were in the low thousands for fairly minor infractions. However, there have been a handful of major fines that have hit the upper threshold of what’s possible. Some of these fines have been for none-compliance with Subject Access Requests.
As the ICO stated in one such enforcement notice, “Anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law. This is called the right of subject access. Where organisations fail to meet their obligations, the ICO can issue an enforcement notice compelling them to do so. It’s a criminal offence not to comply with it.”
In addition to ICO enforcement action, individuals have the right to seek compensation for a failure to comply with the rules.
The fines that can be imposed can be significant. Under the DPA, the maximum fine the ICO is entitled to levy against a data controller that has breached the legislation is £500,000.
Under the GDPR, the ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. The following is a non-exhaustive list of GDPR provisions which, if infringed, may attract a top level fine:
“the basic processing conditions including in respect of obtaining consent;
- infringement of the rights of data subjects;
- international transfers of personal data; and
- failure to implement or adhere to a subject access request process.”
So it is of vital importance that when the CWU receives a subject access request, that we comply with the request as quickly and as comprehensively as we can.
The purpose of this LTB is to remind Branches of their responsibilities in this area and to point out that Branches can play their part in this process by recognising a SAR if they receive one at Branch level and forwarding it to the CWU Data Protection Officer (details below) for processing.
It is vitally important that Branches act promptly on receipt of a request from the CWU Data Protection Officer.
This will require the Branch to collate all records (correspondence, case files etc) and forward them to the CWU Data Protection Officer without delay. This applies to all relevant records either in electronic or paper format. Not every single mention of the subject is required but anything that has personal information about them should be included.
A similar exercise will also be carried out at HQ, checking with the Membership department, Legal department, etc.
Any references to third parties (i.e. other than the ‘Subject’ and the CWU) will be redacted before it goes out to the subject (i.e. the requestor).
We appreciate that we are all very busy and have better things to spend our time on, however, the legislation exists and our failure to comply could result in action being taken against the union. It is vital therefore that the above process is applied in every case.
For further information on the contents of this LTB, please contact the CWU Data Protection Officer: Denis Lenihan, Data Protection Officer & Information Manager, Research Department, email: firstname.lastname@example.org Work mobile: 07874 628 423 Office Direct line: 020 8971 7279.
Senior Deputy General Secretary