Covid 19 and Subject Access Requests
25th March 2020
Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19?
The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19.
Members of the public should appreciate that frontline and critical services organisations such as healthcare providers, government departments, in particular the Department of Employment Affairs and Social Protection, Revenue and local authorities may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. Educational bodies such as schools and universities, and private sector organisations may be closed or have reduced capacity so that responding to requests may be significantly delayed. We ask you to bear this in mind in the event that you experience any such understandable delays when dealing with these organisations or considering making a complaint to the DPC. We also remind you to please be as specific as possible in relation to the personal data you wish to access. Where a complaint is made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.
We appreciate that many organisations, especially frontline and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. We are very alive to the unprecedented challenges facing organisations and the need for a proportionate regulatory approach in response to these extraordinary circumstances.
Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity and number of requests.
Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.
Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.
While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.