Don't Play Dumb with Access Requests: Data Protection Case Study

While reading the precise guidelines and regulatory requirements set out in Irish and European data protection legislation is the best way to ensure compliance, sometimes seeing how various individuals and organisations deal with the, can be very helpful in promoting a more thorough understanding of what processes your business should adopt. That is why we look at a variety of case studies, such as this one that came before the data protection commissioner in 2017.

The Issue

The office of the data protection commissioner received a complaint from an individual who had placed a data access request with an educational body. Specifically, the complainant was looking for CCTV footage for a four hour period during which they alleged that they had been assaulted by an employee from the organisation in question. Despite there being 8 cameras on the premises, the complainant only received an 11 second clip from the CCTV footage which ended just as the alleged assault came into frame. When the complainant queried the amount of material they had been provided the educational organisation said that this would be treated as a new data access request.

The complainant stated that they believed that this was a delaying tactic so that the organisation would not have to release the CCTV footage in question as it would be deemed lost or no longer retained. For their part, the educational organisation said that it had interpreted the access request to relate to footage of the incident in question only.

The organisation did, however, acknowledge that the other CCTV cameras would have picked up images of the complainant not related to the alleged assault, and that these images had not been released to the complainant as part of the request. The office of the data protection commissioner found that these images should have been provided to the complainant.  As the educational organisation only retained CCTV footage for 28 days, by the time that the complainant had come back to query the amount of CCTV footage received in response to the access request, the additional CCTV footage had been overwritten.

Outcome

The Commissioner deemed that the data access request had clearly set out that the complainant was seeking access to CCTV footage from all 8 cameras over a four-hour period. Furthermore, she stated that having received the initial request the educational organisation should have sought to clarify the parameters with the complainant, rather than making a unilateral decision. The educational organisation should have preserved the footage pending the outcome of this clarification. The educational organisation therefore contravened Section 4 of the Data Protection Acts 1988 and 2003 in failing to provide the complainant with all of their personal data within the statutory 40-day period.

Takeaways

This case illustrates the importance of complying with a data access request in full, and also the necessity to link in with the applicant if there are areas of ambiguity – though there seem to have been none in this case.

It also shows the importance of retaining all records relating to the person making a request pending the completion of the request, and also for a period thereafter in case there are queries. What is particularly worth noting is that once a request is received, all routine deletions of records related to the request must cease – even if automated.

If you would like more information on how to deal with data access requests, please see our previous blogpost on the topic here: Handling Data Access Requests