How to deal with a subject access request from a third party
An independent financial advisor client of Astrid’s recently received a subject access request. To make matters more complicated, the request came through a third party, a financial claims firm. We look at how to deal with a subject request from a third party and how to ensure that it’s a genuine data request.
The subject access request
The independent financial advisor received a subject access request - but not directly from their client. The request came from a financial claims firm on behalf of their client. This third party requested ‘all records’ that the IFA had on that client.
The letter looked legitimate and the claim company was registered on the Ministry of Justice financial claims database so it looked like it was a genuine subject access request to the IFA. On the other hand, the letter referred to older data protection law rather than the Data Protection Act 2018 (that incorporates the requirements of the General Data Protection Regulation). This raised concerns that the letter wasn't genuine. Was it a scammer trying to get information about a client?
How to respond to this subject access request
So what should a company do in this case?
1. Treat the request as genuine until you can prove otherwise
Always start with an identity check on the person whose data is in the subject request. You must be able to show that the person whose data is being sent is definitely the right person. Imagine sending a client's financial details only to find they didn't actually make the request! 2. Prepare for the request to be genuine
You have 30 days to find and provide the information requested. The Information Commissioners Office (ICO) expects organisations to respond promptly to subject access requests and meet the requirements of the request where possible (without breaching the privacy of others).
While you're confirming that the request is genuine, make sure you're using the time appropriately to find their information. It's probably reasonable to ‘stop the clock’ while you're doing the ID check but if a legal claims firm is involved you don't want to give them further grounds for complaint or penalty.
No response on whether the subject request was genuine
In our IFA client's case, they received no response from their client confirming the request was genuine. They had effectively reached an impasse. To release personal data to a third party without a confirmed ID check would be a significant data breach. To not respond to the subject access request would not be compliant with GDPR.
The ICO's advice was, in this specific case, for the IFA to send the copies of the personal data to the client directly rather than to the third party (the IFA was able to identify the client and their current address). This way, the IFA would meet the requirements of the subject access request without risking a breach of confidentiality. Their client would then be able to review the information and choose to forward on the information to the third party if they so wished.
Further guidance on subject access requests
Astrid provides clear guidance and a simple template for companies to use when they receive subject access requests. It helps record the type of subject request received, guides users through the steps they need to take to respect the privacy of all individuals involved and records the outcome of the process. Subscribe today to download this handy template and get your GDPR compliance system up to scratch.
Protect your business - become and remain GDPR compliant with Astrid