At the end of March, The Data Protection Commission (DPC) issued guidelines on Subject Access Requests (SARs) during Covid-19 for individuals and businesses.
The law in this area is still the law, so officially your statutory obligations still apply, including the 30 days deadline. However, the DPC has stated that they will examine the facts of each case and any extenuating circumstances will be taken into account, in the event of a complaint.
For individuals submitting SARs
The DPC ask that individuals seeking to make a SAR, to appreciate the unprecedented nature of the current crisis, in particular the circumstances the organisation they are seeking the information from finds itself in, citing the Dept of Health, Revenue, etc. The DPC goes on to point out that the organisation may be temporally closed or have very limited staff to assist with the SAR.
For organisations responding to SARs
Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The General Data Protection Regulations (GDPR) does provide for an extension of two months to respond to a request where necessary, considering the complexity and number of requests.
Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages, electronic records now, with hard copies to follow. The DPC also state that organisations should communicate clearly with the individuals concerned at all stages. Organisations are also encouraged to request that the person be as specific as possible in relation to the personal data sought.
If due to the impact of COVID-19, an organisation cannot respond to a request in full or in part, within the statutory timelines, you are still obliged to do so, ASAP. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.
In conclusion, organisations should make every effort to communicate any delays or backlogs with individuals seeking SARs, even if they cannot respond to the request within the legal timeline.
The DPC has stated that the law cannot be ignored, however should a complaint be made to the DPC, the facts of each case including any specific extenuating circumstances will be fully taken into account.
For data protection queries please contact Consultant Conor Robinson on 01 644 5800 or crobinson@lavelleparters.ie