GDPR and Subject Access Requests
Recently there have been changes made to data protection law by the introduction of General Data Protection Regulations (GDPR). This means UK legislation has now been updated to the Data Protection Act 2018. In practice, many of the principles of GDPR are similar to those that existed under the Data Protection Act 1998 but there is a greater emphasis on things like individual rights and higher standards for consent. In line with these changes, HMPPS have published an updated Prison Service Instruction on the subject, PSI 03/2018.
This article sets out how these recent changes could affect you if you or someone you know is currently in prison.
There is one area which we expect to be of particular interest to people in prison. We are regularly asked about how you can get copies of personal information the prison holds about you. This is known as making a Subject Access Request (SAR), and is covered under GDPR under the ‘Right of Access’.
One of the barriers to this under the previous legislation was the fee that prisons usually charged, which could be up to £10. This is a considerable sum to someone relying on measly prison wages, and sometimes discouraged people from doing it. There has however been a welcome change to guidance about charging for Subject Access Requests. The Information Commissioners Office (ICO) is clear that under GDPR in fee cannot be charged to comply with a subject access request – except if a request is ‘manifestly unfounded or excessive’, or if a person requests further copies of their data following a request, when a “reasonable fee” be charged for the administrative costs of complying with the request.
If you would like a copy of information held by the prison about you, you can make a Subject Access Request by writing the request on a normal wing application, or by using the ‘Subject Access Request Form’ at the back of PSI 03/2018 – ask an officer for a copy of this or contact our service if you need one. Your request will be sent to the prison service data protection team to be processed. The prison has one month to respond to your request. This has changed from 40 days under the previous legislation.
You should be aware that there is some information which the prison does not have to share with you, even if it is on your file. This could be because it relates to another person, or because the information is being used for the prevention or detection of crime. If this is the case then the prison can lawfully redact this information from the copy they provide you.
If you find that personal data held by the prison is not accurate, you have the right to have it corrected. If it cannot be clearly proven that the data is inaccurate, the prison should still make a note on the record that you do not agree with the information – this might be the case with matters of opinion, for example.
You can complain about the contents of your file using the normal complaints procedure. If you are not happy with the response you can then ask The Information Commissioner’s Office (ICO) to look into it. You should do this within a year of first seeing the information you are unhappy with. You can call their helpline on 0303 123 1113 or write to them at:
Information Commissioner’s Office
Casework and Advice Section
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you would like us to send a copy of the new PSI or information about GDPR please contact us on the information below. Unfortunately, we cannot send copies of the full legislation due to the size of these documents.
Please note, the above article focuses on prisons in England and Wales and may not apply elsewhere.
Advice and information service
If you know of someone in prison in need of advice and information find out how you can put them in touch with our service.
