Latest ICO consultation on subject access requests and the ‘conflict of issues role’ for HR professionals
The DPO Centre, the UK’s leading experts on data protection and privacy management, have found that many companies in the UK are not managing their personal data correctly and the role is often given as a dual and conflicting role within the businesses. On many occasions the data protection role falls to the HR director or manager.
The Information Commissioner's Office (ICO) has recently released its consultation document focused around manifestly unfounded and excessive right of access requests. This comes at a time when the number of Data Subject Access Requests (DSARs) being received by UK organisations is increasing. A DSAR is more commonly known as the right to make a subject access request. This allows individuals to find out what personal data is held about them for law enforcement purposes and to obtain a copy of that data.
The draft guidance looks at how to deal with requests involving the personal data of others and the restrictions that are most likely to apply in practice when handling a request.
The latest annual report for the ICO reveals that nearly half of all complaints to the ICO now relate to subject access. (1)
However, for many HR directors who are also named as the data protection officer (DPO) there is a clear conflict of interest when an employee submits a data access request.
The ICO states that the role must be free from “conflict of interest and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.” And yet DPOs in many companies find themselves with the dual role of also being directors of human resources.
The DPO Centre is calling on HR directors to be able to declare a conflict of interest if a situation arises where an employee submits a DSAR request and for the company to appoint an ‘independent’ data protection officer in that instance.
Lenitha Bishop, Chief Operating Officer at The DPO Centre argues, “The ICO has drafted detailed guidance which explains in greater detail the rights that individuals have to access their personal data and the obligations on competent authorities and organisations. Companies need to be aware of their responsibilities and where there is a conflict in interest. In practise it is not possible to split their priorities and be a company’s HR director and also an independent data officer, the one working in the interest of company the other the data subject, it simply doesn’t work.”
The current consultation also highlights that many companies are struggling to understand when a request is manifestly excessive or unfounded and are looking to the ICO for further guidance.
At the same time, the ICO has also drafted updated guidance on the provisions in Part 3 on how authorities should deal with manifestly unfounded or excessive requests.
In particular, Lenitha Bishop continues, “More examples would be beneficial for companies to understand when a subject access request is excessive or unfounded. For Freedom of Information requests there are vexatious decision notices and guidance to inform decision makers.
“It would be useful for there to be some kind of guidance on how it would operate in certain situations, i.e. the angry customer, the excessive complainer, the employee going through Tribunal proceedings – this would also help reconcile contradictory case law and ensure a more consistent approach across sectors and organisation sizes.”
To assist HR professionals, The DPO Centre recently launched a monthly, free, live webinar aimed at HR professionals who deal with DSAR requests. Covering the key aspects of this complex subject every second Wednesday of the month. Register to attend here
DSARs Webinar | What HR professionals need to know | April - Outsourced Data Protection Officers GDPR and Data Protection Compliance (dpocentre.com)