5th Annual Privacy & Data Protection Conference Ireland

Subject Access Requests in the current climate

26 January 2010

Peppe Santoro Commercial Partner

Head of Intellectual PropertyEversheds O’Donnell Sweeney

www.eversheds.iewww.linkedin.com/in/psantoro

Introduction

1. Legislation

2. Exemptions

3. Special Categories

4. Guidance

5. Practical mechanics

6. Tactical use of SARs

7. How can a Data Controller prepare?

8. What can a Data Subject do to secure response?

9. How should a Data Controller respond?

For the full text of this presentation

please email dataprotection@

eversheds.ie

Legislation

• Data Protection Acts 1988 and 2003

• Data Protection (Access Modification)(Health) Regulations 1989

• Data Protection Act, 1988 (Restriction of Section 4) Regulations 1989 (Adoption Act & Ombudsman Act)

• Data Protection Act, 1988 (Section 5 (1) (D)) (Specification) Regulations 1993 (many excluded functions and persons)

• Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (parallel SAR regime)

• Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009 (High Court inspectors, Director of Corporate Enforcement)

Exemptions

• Investigations, prosecutions and tax collecting

• Security and good order of prisons and other institutions

• Statutory functions regarding financial supervision and bankruptcy

• International relations of the State

• Estimating liability of data controller

• Legal professional privilege

• Statistical data

• Back-up data (contrast with UK)

Special categories

• Health related information

• Confidential opinions about the data subject

• Data subject’s obligations to vouch identity and enable data controller to locate relevant personal data

• Personal data of third parties – restricted obligation to disclose

• Examinations

• Repeat requests

• Protection of intellectual property and trade secrets

• Coerced subject access requests

Guidance

• Data Protection Commissioner Guidance Notes – Organisations– Individuals

• Data Protection Commissioner Case Studies– Successful privilege claim (C9/2008)– Unsuccessful privilege claim (C21/2008)– Timeliness of response (C9/2006)– Completeness of response (C13/2007)– Sensitive Personal Data (C2/2007)

• Professional Associations

• Legal advisors

Practical Mechanics

• Date of receipt – 40 days starts to run (if request correct)

• Fee payment - exception

• Vouching identity and enabling data controller to identify relevant data

• Informal negotiations to limit scope (often unsuccessful)

• Evaluation of possible exemptions and special categories

• Determining format of response

• Provision to data subject

Tactical use of SARs

• A substitute for discovery?

• Specific instances of use– Employment litigation– Banking litigation– Professional negligence– Mass tort claims

• Fishing expeditions (significant cost to data controller)

• Leverage/pressure

• Importance for data controller of robust processes

How can a Data Controller prepare?

• Ensure general compliance with data protection principles (delete unnecessary data, ensure data is correct etc.)

• Delegate responsibility to one/two individuals and ensure they are known to all staff - establish process for receipt and internal forwarding

• Be aware of responsibilities of data subject - utilise relevant exemptions and assess special categories of information

• Ensure “back-up data” is within DPA definition. Structure manual filing so as to be outside “relevant filing system” definition (if possible)

• Have procedure in place to execute small and large scale redaction

• Understand relevant systems (eg email, CCTV, manual filing)

What can a Data Subject do to secure response?

• Ensure request is clearly framed and made in line with DPC guidance

• Provide requisite fee (€6.35) to the data controller at time of request

• Ensure request is as clear as possible and enables data controller to identify information

• Provide information vouching the identity of the data subject

• Respond in a timely manner to requests for clarification from data controller

How should a Data Controller respond?

• Establish date of receipt and timeline for response

• Verify compliance by data subject with its obligations

• Gather all potentially relevant data, filter for irrelevant information, exemptions, special categories

• Redact information appropriately

• Record data gathered, data withheld (with rationale), data redacted and data furnished to data subject

• If in litigation, disclose in a manner that helps opponent the least (usually hardcopy)

For a flowchart describing this process

please email dataprotection@

eversheds.ie

Online Resources

• www.irishstatutebook.ie – all legislation referred to in this presentation is available online

• www.eversheds.ie – Website of the firm with useful information published regularly in all areas

• www.dataprivacy.ie – Website of the Irish Data Protection Commissioner, useful for guidance and casenotes

• www.basis.ie – Business Access to State information and Services, the Irish Government portal for business information

• www.mondaq.com – Leading global aggregator of law firm news and information

• www.linexlegal.ie – UK and Irish aggregator of legal information

Any questions?

Disclaimer

This information in this presentation is for guidance purposes only. It does not constitute legal or professional advice. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. No liability is accepted by

Eversheds O’Donnell Sweeney for any action taken in reliance on the information contained herein. Any and all information is subject to change. Eversheds O’Donnell Sweeney is not responsible for the contents of any other website or third party material which can be accessed

through or is referred to in this presentation. All rights (including the rights of third parties in any logos and trade marks used herein) are reserved.

Eversheds O'Donnell Sweeney is an Irish partnership and a member firm of the Eversheds International network of firms affiliated with Eversheds International Limited, an English company limited by guarantee. Member firms of Eversheds International are independent firms and members of Eversheds International Limited, but have no authority to obligate or bind Eversheds International Limited or one another vis-à-vis

third parties. Neither Eversheds International Limited nor any of its member firms have any liability for each other’s acts or omissions.

Thank you

Peppe Santoro, Commercial PartnerEversheds O’Donnell Sweeney

One Earlsfort CentreEarlsfort Terrace

Dublin 2+353 1 6644200

psantoro@eversheds.iewww.linkedin.com/in/psantoro

www.eversheds.ie