DISCLAIMER: SEE AT THE END OF THIS BLOG....
We've been asked about a tricky situation: when a data subject makes a request for data, but employees at our client have added personal remarks, sometimes derogatory or uncouth, to the data subjects' file.
Here's how we can approach that: GDPR Article 15 states that "The data subject shall have the right to obtain from the controller… access to the personal data" that the controller has on that data subject.
On the face of it, if a person requests to see their personal data, a company must provide all personal data - meaning "any information relating to an identified or identifiable natural person" (article 4.1). However, GDPR Article 15.4 (reflected also in the Data Protection Bill, section 43.4.e) makes an exception: "The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others."
What are the rights and freedoms of others? GDPR states (recital 63) :
"That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates."
One could make, and in the right circumstances would make, the argument that revealing some unkind, even nasty or racist or such remark about a data subject would affect the 'rights and freedoms' of the employees who wrote it. In particular, employees presumably have an expectation that such remarks will not be shared or revealed. Conversely, they really shouldn't be writing racist remarks in the first place. So this is a bit of a twilight zone for now and there's a question mark here. We advise our clients to be aware of this problem, and the best course is for companies to train staff to assume that all data may eventually be revealed, and therefore be more careful about what they write.
However, plainly in many cases there is no avoiding writing into a personal file some unpleasant information. So, once we've trained our staff to minimize any such comments and information added to our files, there is another line of defense here, namely the 'rights and freedoms' of the employees and the company. These may be sufficient grounds to avoid granting access to such data for now, but again they ought to be urged to avoid adding data which is harmful to the company, employees or third parties if accessed. We advise our clients to state that in your company's data protection policy.
Can such data be deleted outright? There are broader legal considerations here. The UK ICO wrote under the current directive / DP Act: "The Act specifies that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. For organisations subject to Freedom of Information legislation, it is an offence to make such an amendment with the intention of preventing its disclosure."
In other words (taking the current Data Protection Act as inspiration): a Data Subject Access Request is as of the date of request. So, assuming one is not subject to the FOIA for example, having in place a policy of deleting irrelevant or hurtful data, may allow such data to be erased systematically before it is requested.
In summary: in principal, a data subject has a right to obtain all personal data, including hurtful remarks. If revealing those remarks will adversely affect the rights of the company or the employees, then perhaps it need not, or must not, be shared. A policy of preventing such data in the first place, and of erasing it systematically in case it is written, is another line of defense, and this should be stated in the data protection policy. Finally, training and awareness are the best way to avoid this in the first place.
DISCLAIMER: THIS IS NOT LEGAL ADVICE, THESE ARE OUR MUSINGS, BASED ON OUR EXPERIENCE WITH OUR CLIENTS AND COLLEAGUES, AND WERE ORIGINALLY SHARED OR WRITTEN IN A VERY SPECIFIC CONTEXT. YOU CAN DRAW INSPIRATION, AND TELL US IF YOU HAVE INTERESTING COMMENTS, BUT WE HAVE NO RESPONSIBILITY FOR THESE OPINIONS VIS-A-VIS OUR READERS.