Data Subject Rights: The Right to Access
Introduction
The computing advancements of information and communication technologies of the 21st century heavily rely on the company’s capacity to gather, store and transfer personal data as digitised data assets. While these data have become company assets, they were obtained from individuals whose rights to their personal data must be protected and advanced. Currently, data protection legislations regulating personal data access and circulation provide for the Data Subject Right to Access which was introduced by Article 15 of the General Data Protection Regulation (GDPR).
Understanding the Right to Access
Data protection laws worldwide provide data subjects with specific rights in relation to their personal data. They include, the right to; be informed, access personal data, restrict processing, the rectification of personal data, object to processing, data portability, delete/erasure of personal data, lodge a complaint with the supervisory authority, give and withdraw consent etc. This article will discuss the right to access specifically.
Article 15 of the GDPR establishes one of the most fundamental rights under many data protection frameworks: Users have the right to request a copy of all the personal data that they have about them. The goal of this right is to return control and awareness to the users of the personal data they share, consciously or not.
According to the ICO Guidance, “the right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data and check you are doing it lawfully.” This right is very important, as it forms the basis upon which all other rights are sustained.
What You Can Access Under this Right
In exercising the right to access, individuals have the right to access and obtain the following from a controller:
- confirmation that their personal data is being processed by the controller;
- a copy of their personal data;
- other supplementary information; and
- A standard copy of the controller’s privacy notice.
How to Request Access (Request Methodology)
Generally, a Data Subject Access Request (DSAR) can be made either orally or in writing. However, it is ideal for making the request in writing (for obvious reasons), and electronically (for convenience).
The data controller’s website implements its procedure to start a subject access request. Usually, their DSAR procedure is described in their privacy notice. If you notice that the procedure for commencing a DSAR is not specified in a company’s privacy notice, do escalate it.) The popular procedure is to contact the DPO via an email address dedicated to that purpose.
Things to Consider in Other to Ascertain the Degree of Compliance with a DSAR
- Identification.
The right to access should only be exercised by the data subject personally, as such, the data controller, in responding to this right, must only grant access to the personal data requested to the data subject and no one else. Therefore, to ensure this, before transmitting the data, the controller, through its DPO, should verify the requester’s identity by requesting identification documents, sworn declaration etc. Very scrupulous controllers may request to re-authenticate through a phone call to finalize the request.
A company that complies with the DSAR without verifying the requester’s identity will sooner or later violate privacy principles by granting access to personal data to an unauthorised person.
- Response time
Another thing to consider is the time the controller takes to respond to a DSAR. Once a DSAR is received by a controller, it has 1 month to process the request and provide the relevant personal data. Where necessary, the controller can extend that period for additional two months (See the ICO Guidance on access request), but it must communicate the delay to the data subject before the end of the first month.
- Information obtained
Importantly, scrutinise the information received from the data controllers for inconsistencies or incompleteness. It is not enough to send to data subjects the information they personally made available to the controller. A quick perusal of many privacy notice pa3ges of controllers, it will be noticed that their websites store much more information, for example, the IP address, browser type, device name, the last session log-in with the related information about the IP, the access time, and the session time. All this information must be provided when addressing a DSAR. The information obtained must also be in a machine-readable format, sent as an encrypted file with the encryption key sent through another channel, to avoid personal data falling into the hands of an unauthorized person.
Access to personal information granted by a data controller must be specifically tailored to the data subject. In other words, it must not include information about another data subject.
Conclusion
The right to access is very important. Without it, the exercise of other rights may become laborious, as one can only rectify, restrict or object to the processing of the personal data they are aware of.
