At a glance
- Part 4 provides individuals with a number of rights, including:
- the right to information;
- the right of access;
- the right to object;
- the right to rectification;
- the right to erasure; and
- rights in relation to automated decision-making.
- Under Part 4 you can charge a fee for dealing with a subject access request. The level of this fee may be set by the Secretary of State in regulations but, in the absence of any such regulations at this time, the maximum fee is set at £10.
- You should communicate any information that you are required to provide by Part 4 in clear and plain language.
- Individuals can exercise their rights by making a complaint to the ICO or taking matters to court.
Checklists
☐ We make information available about how we process personal data. This information is clear and easy to understand.
☐ We know how to recognise a SAR and we understand when the right of access applies.
☐ We understand what steps we need to take to verify the identity of the requestor, if necessary.
☐ We have processes in place to allow individuals to exercise their rights, and to deal with these promptly and within the correct time limit.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
In brief
- What rights do individuals have?
- What is the right to information?
- What is the right of access?
- What is the right to relating to decision-making?
- What are the rights around automated decision-making?
- What is the right to object?
- What is the right to rectification?
- What is the right to erasure?
What rights do individuals have?
Individuals have a number of information rights in Part 4:
- The right to information about the processing.
- The right of access.
- The right to information about decision-making.
- Rights around automated decision-making.
- The right to object.
- The right to rectification.
- The right to erasure.
These rights may be restricted by the application of the national security exemption, or other exemptions listed in Schedule 11 of the DPA, where required.
What is the right to information about the processing?
This is a right for individuals to be proactively informed about the processing that is happening. It is distinct from the right of access to an individual’s own personal data, and is closely connected to the transparency aspect of the first principle.
The right to information does not distinguish between whether data is collected from the individual directly, or indirectly from another source.
The information you need to provide is:
- your identity and contact details as controller;
- the legal basis on which you are processing personal data;
- the purposes for which you are processing personal data;
- the categories of personal data relating to the individual that you are processing;
- the recipients or the categories of recipients of the personal data (if applicable);
- the right to lodge a complaint with, and contact details of, the ICO;
- how to exercise their data protection rights; and
- any other information that is needed to ensure that the personal data is processed fairly and transparently.
The nature of covert intelligence and analysis necessarily imposes limits on what you can say, but you should aim to be as transparent as possible. When providing “any other information” you should include any other relevant details which help individuals and the public at large understand the nature and context of the processing, and inform their reasonable expectations. You should consider whether there is anything else you can reasonably provide which would help people understand what’s going on. This will ensure your processing is not unexpected and the privacy information is not misleading. This will help you demonstrate your compliance with the fairness element of the first principle.
How you provide this information is up to you, but you should be able to justify your decisions – in particular if you decide to provide this information by a generally available notice.
Quite a lot of this information is likely to be fairly generic and won’t vary from person to person. For example, who you are and what you do, your lawful basis for processing, and what categories of personal data you process. In this case a public notice may be appropriate, although the most appropriate way to provide it will depend on the context (eg on your website, intranet or in a notice to a contractor).
What is important is that the relevant information is made readily available to the relevant target audience. For example, your intranet is not an appropriate method to communicate information to the general public, but is appropriate for telling your staff how you process employee data. When making a decision about what method to use, consider the ways you can effectively provide the information and the audiences it will reach, making sure you do not miss categories of people you need to provide the information to.
You are not required to provide this information if:
- the individual already has the information; or
- you obtained the data from a third party and it is impossible, or would involve disproportionate effort, to provide it to the individual.
To rely on the “disproportionate effort” provision, you must assess (and document) whether there is a proportionate balance between the effort involved for you to provide individuals with privacy information and the effect that your use of their personal data will have on them.
It is highly unlikely that these provisions will apply, if you are in a situation where it would be appropriate to publish general information about your processing by a generally available notice. For example, a privacy notice on your website. You should therefore provide privacy information in this way.
You are not required to provide information to the individual if you collect their data indirectly and this is authorised by an enactment. For example, under the IPA 2016 (which provides various powers for the intelligence services to obtain information).
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and to check you are doing it lawfully.
Under this right, individuals can obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data in intelligible form. This includes providing an explanation of any technical terms or jargon which might otherwise obscure its meaning to the reader; and
- other supplementary information (this largely corresponds to the information that you should provide in a privacy notice).
You should comply with a subject access request (SAR) by providing the individual with a copy of their data in writing, unless:
- this is not possible;
- would involve disproportionate effort; or
- the individual agrees to receive it in another form.
When considering whether providing a copy would involve disproportionate effort, you should consider the effort required in doing so against the value to the individual of receiving that copy. If you decide that it would be disproportionate, you should record your reasons, and be able to explain them to the individual and the ICO.
You can charge a fee for a SAR under Part 4. The level of this fee may be set by the Secretary of State in regulations but, in the absence of any such regulations at this time, the maximum fee is set at £10.
You need to be satisfied that you know the identity of the requester. If you are unsure, you can ask for information to verify an individual’s identity. You can ask for enough information to judge whether the requester is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.
The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.
There may also be times when you need additional information from the individual in order to identify and locate the data that they are requesting. This may particularly be the case if the request is phrased in very broad and general terms. You should not seek clarification on a blanket basis, and only if you genuinely require it in order to locate the requested information and respond to a SAR. Again, the timescale for responding to a SAR doesn’t begin until you have received the additional information. You should request this additional information promptly.
If you have previously complied with a request, you don’t have to respond to a repeat request for the same information, unless a reasonable interval has elapsed. When deciding whether a reasonable interval has elapsed you should consider:
- the nature of the data (including whether it is particularly sensitive);
- the purpose you are processing the data for; and
- how often you alter the data.
If it is unlikely that the data has changed between requests, you may decide you do not need to respond to the same request twice (although you should still acknowledge it). However, if you have deleted data since the last request, you should inform the individual of this.
In some cases the requested data may also contain information relating to another individual (including any references identifying an individual as the source of the data). You should then consider whether it is possible to comply with the request without disclosing information that identifies the other individual. For example, by omitting their name or other identifying information. If this is not possible, you do not have to disclose the information except where:
- the other individual consents to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without their consent.
You should keep a record of what you decide and why.
You need to provide the information to the individual ‘promptly’ and, in any event, within one calendar month of receiving it (ie within one calendar month of the day you received the request). If you have requested a fee, additional identification, or further information to locate the data requested, the one month time period begins on the day you receive it.
If you are unable to comply with a request, you should inform the individual about:
- the reasons why (where possible);
- their right to make a complaint to the ICO; and
- their ability to seek to enforce this right through the courts.
If you are relying on an exemption to refuse to comply with a SAR, where possible you should explain the reasons why you consider this exemption applies. However, this will depend on the specific circumstances of the request. In some situations, your response may be more general and may not include details of which exemptions you have relied on at all. For example, where telling an individual that you have applied a particular exemption would prejudice the purpose of that exemption.
What is the right relating to decision-making?
Where you are processing data and applying the results to an individual, section 98 says that they have the right to know the reasoning underlying that processing. This applies whether the processing and results (or decision-making) are automated or not. There isn’t a requirement to proactively give this information to the individual, but if it is requested you must provide it promptly and without undue delay.
What are the rights around automated decision-making?
You should not make any decision solely by automated means that significantly affects an individual, unless:
- the decision is required or authorised by law;
- the individual has given consent to the decision being made this way; or
- it is needed for entering into or performing a contract with the individual.
A significant effect is not defined, but includes a decision which has a legal effect on an individual (whether adverse, or not). However, this is not the only factor, and you need to take into account the significance of any decision of this nature on an individual – taking into account the specific circumstances.
This right only applies to automated decision-making. This is where decisions are made about individuals automatically, and without human input or intervention. This is distinct from “automated processing” (eg the collection, storage, or other processing by IT systems or other automated means) – although automated processing will be involved in automated decision-making.
If the automated decision is required or authorised by law, you must notify individuals that such a decision has been made and that they have a right to request human intervention in that decision-making. They can request the decision is reconsidered, or request that a new decision is taken which isn’t based solely on automated processing.
You must consider any request, including any relevant additional information the individual provides, and inform them in writing of the outcome of that consideration.
This right to be notified, and to have intervention, doesn’t apply if the automated decision-making was done:
- with the consent of the individual; or
- for the purposes associated with entering into or performing a contract with them.
What is the right to object?
Individuals have the right to object to the processing of their personal data (either in general or in relation to a specific purpose), on the grounds that they believe that the processing is an unwarranted interference with their rights or interests. The individual must inform you of their specific reasons why they believe the processing constitutes an interference, and why it is unwarranted in the circumstances. If you receive an objection you should consider it. You may continue with the processing while you are considering the objection.
If you decide to agree to the objection, you must stop the processing. If, having carefully considered the necessity and proportionality of the processing, you decide that in the circumstances the processing is not an unwarranted interference, you can continue processing.
Whether or not you agree with their objection, you must inform the individual of your decision within 21 days, and give your reasons. If you need to verify the ID of the requester, or need further information to locate the data in question, this period doesn’t start until you have received the information you reasonably require. If you do not comply with an objection from an individual, they can challenge this through the courts.
What is the right to rectification?
Individuals have the right to request the rectification of their personal data if they believe it is inaccurate.
As a matter of good practice, you should put in place processes that allow individuals to inform you of any concerns they have about the accuracy of data you are processing about them. You should also establish a mechanism for assessing these concerns and making corrections or adjustments to data that you hold, if you think these are necessary. You should also make a record of the reasons behind your decisions, as this will assist you if the individual takes the matter to court.
Taking these steps will assist you in complying with the data limitation, storage limitation and accuracy principles. It will also help to ensure you effectively implement individuals’ rights in line with your general accountability obligations.
An individual can seek to enforce this right through the courts. The court may order you to rectify the data without undue delay.
In certain circumstances the court may order that the processing of the data is restricted, as an alternative to rectification. This may occur if:
- the data in question must be maintained for evidential purposes; or
- an individual contests the accuracy of data, and the court decides that you cannot determine its accuracy.
“Restriction of processing” is defined as marking stored data with the aim of limiting its processing for the future.
An individual may also make a complaint to the ICO if you fail or refuse to rectify inaccurate data.
What is the right to erasure?
Individuals have the right to request the erasure of their personal data if they believe the processing of the data contravenes any of the data protection principles.
As a matter of good practice you should put in place processes that allow individuals to request the erasure of their personal data, and for you to consider these requests. You should make a record of your decision-making.
An individual can seek to enforce this right through the courts, and the court may order you to erase the data without undue delay.
Alternatively the court may order that you restrict the processing of the data, rather than erase it. This may occur if:
- the data in question must be maintained for evidential purposes; or
- the accuracy of the data has been challenged, and the court decides that you cannot determine its accuracy.
An individual may also make a complaint to the ICO about a failure or refusal to rectify inaccurate data.