Unjustified extension

Published: 15 February 2024

The complainant made a Subject Access Request to a healthcare provider to obtain information relating to the provision of medical care.

Background
The complainant made a Subject Access Request to a healthcare provider to obtain information relating to the provision of medical care. Acknowledgement of that request was promptly received. 

After a period of over one month, no further communication from the healthcare provider had been forthcoming. The complainant contacted the healthcare provider seeking an update on their Subject Access Request to which the healthcare 
provider responded claiming that they would have to apply an extension period of two months, provided for by section 27(4) of the Law, to the Subject Access Request. No reasoning was given to justify the need for the extension period.

A further two months passed where the complainant received no further communication from the healthcare provider. Following e-mail correspondence with the healthcare provider, it became clear that the healthcare provider were applying another extension to the Subject Access Request for which they notified the data subject in writing. This time however, the healthcare provider cited the range and complexity of the systems the personal data was stored on as the reason for the extension.

The complainant made a complaint to the ODPA.

A subsequent investigation by the ODPA found that the healthcare provider breached an operative provision of the Law – namely section 27(4) relating to compliance with the ‘designated period’. The Data Protection (Bailiwick of Guernsey) Law, 2017 is clear that in order for a controller to appropriately apply an extension to a Subject Access Request under section 27(4), the ‘complexity’ of the request must be taken into account as opposed to the complexity of the controller’s systems on which the personal data is held. Furthermore, in instances where an extension is valid, this can only be applied once and the request must be fulfilled by the end of the initial extension period.

Learning point
A key learning point that arises from this situation is that controllers must consider the request itself, rather than internal factors when determining the appropriateness of applying an extension to a Subject Access Request.