Lasting Power of Attorney and DSARs

Last month I turned 65, and it felt a bit of a milestone to me - time for some reflection. So I took this opportunity to update my Will and also put in place Lasting Power of Attorney for my later years.  Not that I'm planning to lose my marbles yet, but the timing felt right. This got me thinking about the effect of LPAs on Data Subject Access Requests, especially as I've historically had first hand experience of responding to these when an LPA has been in place - just not necessarily the right one.

The UK General Data Protection Regulation (GDPR) has established robust rights for individuals, including the right to access their personal data. This right, known as a Data Subject Access Request (DSAR), allows individuals to understand what data is being held about them and how it is being used. But what happens when an individual is unable to make such requests themselves? This is where a Lasting Power of Attorney (LPA) becomes crucial, but it also has to be the right one.

Understanding Lasting Power of Attorney

A Lasting Power of Attorney is a legal document that allows an individual (the donor) to appoint one or more people (attorneys) to help them make decisions or to make decisions on their behalf. This is particularly important if the donor loses mental capacity. There are two types of LPA: one for health and welfare decisions, and another for property and financial affairs. For the purposes of DSARs, and depending on the nature of the request, you must have the right one in place.

The Role of an Attorney in DSARs

When an individual has appointed an attorney through an LPA, the attorney can act on their behalf in making DSARs. This is particularly important for individuals who may be incapacitated or otherwise unable to manage their own affairs. The attorney effectively steps into the shoes of the data subject, making requests for access to personal data held by various organisations. 

Legal Basis for Attorneys Making DSARs

Under the UK GDPR, a DSAR can be made by the data subject or by a person authorised to act on their behalf. An attorney appointed under an LPA is recognised as having the legal authority to make such requests. This means that organisations must treat a DSAR from an attorney in the same way they would treat a request from the data subject themselves.  So for example, with an LPA in place in respect of health, the attorney can make DSARs to the NHS. It must still be in respect of relevant information however and care is needed in a disclosure not to disclose health information not strictly relevant to the case in discussion.

Practical Implications for Organisations

So your organisation must be prepared to handle DSARs made by attorneys. This involves verifying the attorney’s authority, which typically requires a copy of the LPA document. Once verified, you must provide the requested data within the same timeframe and under the same conditions as if the request were made by the data subject.

Challenges and Considerations

One of the challenges organisations may face is ensuring that they are dealing with a legitimate attorney. This requires careful verification of the LPA document and, in some cases, may involve additional checks to confirm the attorney’s identity and authority. Additionally, organisations must be mindful of the sensitive nature of the data being requested and ensure that it is handled securely and in compliance with GDPR principles.

Benefits for Data Subjects

For data subjects, having an LPA in place provides peace of mind that their rights under GDPR can be exercised even if they are unable to do so themselves. This is particularly important for individuals with deteriorating health or those who may face future incapacity. It ensures continuity in the management of their personal data and upholds their rights to privacy and data protection.

Conclusion

The intersection of LPAs and DSARs under GDPR highlights the importance of planning for future incapacity. By appointing an attorney, individuals can ensure that their data protection rights are maintained, and organisations can continue to comply with GDPR requirements. For both data subjects and organizations, understanding the role of LPAs in the context of DSARs is crucial for effective data management and protection.