A few weeks ago a query came up about Subject Access Requests and whether or not you would give out documentation that was in your file that belonged to someone else and even I got my ropes taffled and nearly strangled myself, so I wrote this post to discuss the finer detail.
In records management terms, the ownership of documents is something that sounds wholly normal because generally, as a rule, you are not required to keep documents that do not belong to you. If it came to you, unless the transfer of ownership has occurred and you’re told, you basically only have a copy of the original. It’s the original which has the retention period applied to it. Which is why if you’re going to tackle your email inboxes always focus on sent items, not on the inbox itself. There is every case that if you don’t need the documents you’re given you should use the action of ‘weeding’ to get rid it because you should always be able to go back to the originator to get another copy if you need it. That is unless you write on the bottom of it and ‘create’ a new record.
However, under Data Protection there isn’t a concept of ‘ownership’ and you are responsible for the documents in your files regardless of who wrote it. Where does this apply to the scenario though? In the event that you receive a Subject Access Request and you have some documents that were written by another organisation, you would naturally want to know the opinion of the person who wrote it and whether it should be released. Equally, I’m sure the other organisation would like to know if the documents they originally wrote were being released.
In a previous life, I used to temporarily redact all of those records and go out to the organisation to ask for their opinion (important note: not their consent), in some circumstances I would wait for a definite opinion. In others, I’d give a time frame for responding if I thought the content wasn’t of any particular harm. However, that is a risk as Data Controller you have to take. If the organisation comes back and says they don’t think you should release it and you still do. It’s your responsibility for the issues that come up following the release of that information because it was in your files. Naturally, if you choose not to release it; then there has to be a specific reason why you didn’t such as it would cause harm to the individual or someone else if it were to be released.
In recent weeks, I’ve seen many what a client called ‘I r baboon’ agreements flying around in which they read ‘Me Data Controller; you Data Processor’ and in them some have even put a clause in their agreements to the processors that if they get a Subject Access Request for documentation, then they want to know. Not particularly very clear when some of the records flying around only form 1% of a much bigger file of which the Processor is actually the Controller for the other 99%. However, they would still like to know if you are processing the data in your files that originally belonged to them. So, I can see why such confusion is being had over what organisations should do.
I guess the point of this really was that you need to be aware of the differences between Records Management and Data Protection terminology. You cannot palm the requestor off to the original writer of the records and redact the records and refuse to give them. You have to work with the organisations and any other bodies that you have copies of the records within your files. This should be something that must be documented in your rights procedures so you know what to do in the event someone requests their information. So if you have lots of letters in your files from other organisations you’re gonna have to make some kind of decision on whether to release or not.
For those who are saying that they were wanting to do this because they can no longer charge and so it’s costing them a fortune, unfortunately, it’s too bad. Subject Access Requests are indeed free (unless it can be proven that it’s excessive or unfounded – which is a completely different discussion!)
So, I would say that when you release, it’s worth knowing the opinion first so you need to be making good relationships with organisations to enable to swift and quick turn around within the time frame of 30 days. Give deadlines for them to respond, send chasers. Do whatever you have to do to uphold someone’s right of access because if it was your request for information about you, you’d want the organisation that is dealing with your request to know what they are doing and not just mess you around.