Subject Access Request (SAR) GDPR Guide: Highland Council
How to make a Subject Access Request & other data requests under the Data Protection Act 2018 & GDPR to obtain access to your data that the Highland Council holds.
This Subject Access Request guide is specific to SAR requests directed to the Highland Council. I will cover what you can request & also give away a pile of their tricks they like to use that frustrate your access rights plus some tips on how to circumvent these.
First, read & consider Article 15 GDPR. Article 15 entitles the data subject to access to a number of types of information relating to the processing of your data.
It's also a good idea to read Article 12 GDPR as it covers, “Transparent information, communication and modalities for the exercise of the rights of the data subject” which the data controller must comply with when processing your SAR request.
Examples of personal data you can ask for:
All case file data including database extracts. In planning, for example, the Council uses IDOX Uniform database & you are entitled to extracts/screenshots of all tabs in the database + the audit logs capturing user activity in the database.
All internal & external correspondence. The Council use Microsoft365 so, Outlook email services & Microsoft Teams data.
Any other information comprising “personal data”. Depending on the area of the Council you are requesting access to data from there may be specialised material & it's worth looking into what sort of records they may keep.
Tricks they play & how to circumvent them.
I will preface this with the best tip I have for any individual who has been unfortunate enough to have had the Highland Council process their data….
Keep your sense of humour about you because that is the only way you will make it through this absurd exercise with your sanity still intact. Buy the ticket 🎟️, take the ride 🎡 folks!
Moving right along…
The Article 12(3) extension. Probably one of their most often utilised tricks. I haven't met a single person who has sent them a SAR without the Council claiming an extension due to their request being deemed “complex” or claim there is a “large volume of data” which gives them 2 further months to comply. They use it so often they even refuse to answer FOI requests about their (mis)usage of the Article 12(3) extension as I'm sure the stats are staggering. The truth is that they are both disorganised & just generally resistant to & indifferent about GDPR compliance. They do not have a Record of Processing Activities (RoPA) as required under Article 30 GDPR - just a mish mash of disorganised policies & registers. If they had a RoPA, it would set out all the repositories of records needing searched for each category of data subject streamlining the process. They are also not using the tools they already have in Microsoft365 like retention policies, labelling & other records management tools to organise data nor do they use effective search methods via e-Discovery search queries. Instead, they pretend it's still 1999 and just inefficiently scramble around asking different random staff for data and almost none of them are trained in data protection or even know what constitutes “personal data”. So, when the Highland Council tells you its “complex” in your Article 12(3) extension email, it probably just means they are so disorganised they can't find a damn thing which isn't the data subjects problem nor grounds for a Article 12(3) extension. It's an infringement of Article 25 to claim an extension for their own disorganisation & that directly affects data subjects rights. Last word of warning, sometimes they like to wait & see if you'll forget about your SAR deadline of 1 month & when you chase it up, only then do they apply an Article 12(3). Don't stand for it. If they have waited for the initial month deadline to pass & then claim the extension, complain to them. Give another month & then report to the ICO.
Silent Treatment. This just simply means they have data they don't want you to see… like in my own case. Don't stand for it. Keep track of the deadline dates and hold them tight to them. Follow the process to lodge a complaint at the ICO or consider a court claim.
Push them to use Microsoft e-Discovery. As I say… they are big fans of manual searches by untrained staff like it’s 1999. Let them do that, but, also push for e-Discovery searches AND the results of those searches! Even lay out the search queries you think they should use like variants of your surname or address or other unique search terms that could spring results. They tried to claim in my court case e-Discovery produced too many results and said it was too difficult to use even though they tried once or twice before they said. So, what did I do? I lodged the Microsoft manuals into the court record.😂 Here's some links to those in case they try that nonsense on with you too. 👍
Microsoft Office 365 - Using e-Discovery to Respond to DSARs and Microsoft Office 365 - Using Keywords in e-Discovery.
Partial Disclosure. I will just say that prior to me raising the Article 79 claim in court, even after the ICO complaint was closed, the Council only gave me 13 pages of data. 9 of those pages were my own emails I wrote them. Post-court action they have disclosed hundreds of pages more dating back to 2007. Trust me when I say this Council are data hoarders. They don't throw anything out potentially useful to them even when their retention schedule says they must. They have vast retention schedules hundreds of pages long & no retention policies switched on in Microsoft365. Does the retention schedule make it look like they probably deleted older data of yours you wanted access to? No worries, they probably still have it anyways! You just need to drag it out of them. Ask yourself how with the high turnover of staff they manage to keep up with these retention schedules then? Post-it notes at their hot desks that say, “Review & delete John's planning case file in February 2033”? They claim to have found an old paper case file of mine in a cupboard retained 8 years past it's retention date in the back of a planning office, not accessioned into an archive, nothing. In my opinion, *someone* was keeping it as a “pet project”. In any case, their archive service run by High Life Highland, they have no data processing agreement with so who really knows what is going on with any of your data if it's stored in there. If it seems like they have not made a full disclosure, ask them for documentary evidence of their searches including search terms used, databases searched & so on. The burden is on the data controller to demonstrate compliance with GDPR & that includes demonstrating that reasonable & proportionate searches were conducted.
Redactions. For every redaction made by the data controller they must raise an exemption found in the schedules of the Data Protection Act 2018 & justify that exemption if you challenge it.
I will keep adding to this list in future so, check back for updates!