Subject access requests

August 2012

Part 2 Subject access requests

81A.29  General implication of DPA to The Service

Official receivers

The areas in which DPA has a direct impact on the work of the official receiver are:

  • providing data subjects with the fair processing information;
  • responding to subject access requests;
  • disclosure of personal data to third parties;
  • obtaining personal data about bankrupts or company directors from third parties;
  • dealing with personal data held by insolvents.

In addition, to ensure compliance with the Data Protection Principles, the official receiver should have regard to the requirements outlined in paragraph 81A.17 to paragraph 81A.28.

Detailed guidance on responding to subject access requests is available HERE.

The Service generally

Official receivers should be aware that files may be held for bankrupts and company directors by various Directorates within Corporate and Business Services or Investigation and Enforcement Services. If advice has been sought about a case from Technical Section, a file will have been opened which will contain copies of the exchange of minutes and may contain other papers. These will be stored in Wisdom or at the Registry in Birmingham. In addition, IES may hold files on bankrupts and directors, which may form part of a relevant filing system, and also maintain databases with details of  criminal allegations, disqualifications and bankruptcy restrictions orders.

All subject access requests received by any part of The Service must be forwarded to the FOI/DPA Team in Technical Section by copying to FOI@insolvency.gsi.gov.uk to ensure that the response covers all parts of The Service and therefore conforms to the legislation.

Any member of staff wishing to make a subject access request about their own personal data should contact Human Resources.

The official receiver as a data controller has control of information held in his/her liquidation and bankruptcy files; information held on computer of his/her liquidation and bankruptcy cases, and information held in the records of an insolvent where the official receiver is acting as liquidator or trustee in bankruptcy. All other information held by The Service is under the control of the Secretary of State and the official receiver has no duty to disclose it. In general the official receiver will be responsible for providing personal data in response to a subject access request for personal data he/she holds on their case files. The FOI/DPA Team will when notified of a request that takes in other parts of The Service, co-ordinate a central response.

 

81A.30  Subject access requests

A request under section 7(1) of the DPA is called a subject access request. It must be in writing and only provides a right to the personal data of the data subject. The data controller is not obliged to supply information under this section unless he is supplied with any information he may reasonably require to satisfy himself of the identity of the person making the request. [note 1]

Where a request is received from an individual for their ‘personal data’ forward this immediately to the FOI/DPA Team, who will issue an acknowledgement to the individual and request ID. The FOI/DPA Team will notify the official receiver or HoT when ID has been received and the request becomes ‘valid’. When a valid SAR is received it will be logged and monitored by the FOI/DPA Team for compliance with DPA. The time limit for the issue of a response is 40 calendar days (the prescribed period) from the date of receipt of a valid request (the relevant day).

Responding to subject access requests (once ID has been validated) should be dealt with by the official receiver (data controller) in each official receiver’s office or by the appropriate HoT holding the information. In official receivers’ offices, the data controller is the official receiver and for the remainder of The Service Section Heads act for the data controller (BIS). In addition the FOI/DPA Team in Technical Section is available to provide specialist advice and, if required, to co-ordinate a response across The Service.

Detailed guidance on responding to subject access requests is available HERE.  

81A.31  Right of access to personal data

Subject to the various exemptions under DPA bankrupts, company directors, and others are entitled to know what personal data about them is held on any of The Service’s record systems and to have information consisting of their personal data in a permanent and intelligible form. Under the FOIA, the definition of data is extended to include information held in an unstructured filing system - effectively extending the access to personal data contained in any manual files, see paragraph 81A.13 to paragraph 81A.15 for a more detailed discussion of this point. A subject access request will not give the data subject access to view the official receiver's files.

Section 7 (1) of the DPA provides that, subject to the remaining provisions of the section and to sections 8 and 9, an individual is entitled:

  • to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
  • if that is the case, to be given by the data controller a description of :-

i) the personal data of which that individual is the data subject,

ii) the purposes for which the data are being or are to be processed, and

iii) the recipients or classes of recipients to whom the data are or may be disclosed,

  • to have communicated to him in an intelligible form :-

i) the information constituting any personal data of which that individual is the data subject, and

ii) any information available to the data controller as to the source of the data, and

  • where the processing of personal data by automatic means, for the purpose of evaluating matters relating to an individual, for example, performance at work, creditworthiness, reliability or conduct, and this processing is likely to constitute the sole basis for any decision significantly affecting the individual, to be informed by the data controller of the logic involved in that decision-taking.

81A.31A Prescribed (limited) requests for personal data 

The rights provided to a data subject under section 7 of the DPA are for all of the personal data held by a data controller, where this is not subject to any of the exemptions or other limitations on disclosure. This is the default position and requires that when a request is being dealt with a thorough search is carried out to ensure that all the personal data is identified and included for consideration in the response issued.

Where the individual making the request has limited (prescribed) the personal data being requested, section 7(7) DPA is engaged. Where the requesting individual has asked for limited (prescribed) information covering letter #5A should be used when responding and the schedule (#4 Schedule of information provided) is not required  since the requirement to provide the source; purpose; and disclosure details of the prescribed personal data are dealt with in the covering letter. 

81A.32  Limitations to subject access rights

Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: [note 2]

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

The reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; but this is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. [note 3]

For the purposes of the DPA another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request. 

81A.33  Consent of third party

In determining whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to:

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller to seek the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual.  

81A.34  Subsequent requests for personal information

Where a data controller has previously complied with a subject access request, the data controller is not obliged to comply with a subsequent identical or similar request by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request. [note 5]

A number of supplemental provisions are set out under section 8 and in particular limit the obligations under section 7(1)(c)(i) relating to the supply of information in a permanent form where:

  • the supply of such a copy is not possible or would involve disproportionate effort, or
  • the data subject agrees otherwise

 

[Back to Part 1 – Data Protection Act and The Insolvency Service] [On to Part 3 – Other forms of request]