Imagine it is the year 2001. The Data Protection Act 1998 has been in force for a year. Some of us are excited about data protection; most are not. Subject access requests are relatively rare. The well-known Durant decision, which set limitations on the meaning of ‘personal data’ in the context of a subject access requests, would not be made for another two years.
Flash forward 10 years to 2011. There have been high profile data protection breaches in recent years. Individuals are now much more aware of their rights. Subject access requests are common, and are the top reason for data protection complaints to the ICO. Whilst Durant is still a leading EU case, both UK and EU guidance provide different ways to interpret ‘personal data’, expanding the recommended scope of searches for controllers to undertake when a SAR is received.
It is now 2021. The UK has left the EU, and has changed its data protection regime twice in the last 10 years, transitioning from the DPA 1998 to the EU GDPR (in 2018), and then on to the UK GDPR (in 2021). SARs have consistently been the most common reason for data protection complaints to the ICO. Almost 18,000 SAR complaints were reported for April 2019 to March 2020. The legal regime, the use of SARs by individuals, and the approach taken by controllers all look substantially different to how they did 10 years ago.
In this article, I take you on a tour of subject access requests from 2001 to 2021, and discuss the most recent trends in how SARs are handled.
Olivia Whitcroft, principal of OBEP, 16 December 2021
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details