Lasting Power of Attorney and DSARs

Last month I turned 65, and it felt a bit of a milestone to me - time for some reflection. So I took this opportunity to update my Will and also put in place Lasting Power of Attorney for my later years. Not that I'm planning to lose my marbles yet, but the timing felt right. This got me thinking about the effect of LPAs on Data Subject Access Requests, especially as I've historically had first hand experience of responding to these when an LPA has been in place - just not necessarily the right one.

The UK General Data Protection Regulation (GDPR) has established robust rights for individuals, including the right to access their personal data. This right, known as a Data Subject Access Request (DSAR), allows individuals to understand what data is being held about them and how it is being used. But what happens when an individual is unable to make such requests themselves? This is where a Lasting Power of Attorney (LPA) becomes crucial, but it also has to be the right one.

Understanding Lasting Power of Attorney

A Lasting Power of Attorney is a legal document that allows an individual (the donor) to appoint one or more people (attorneys) to help them make decisions or to make decisions on their behalf. This is particularly important if the donor loses mental capacity. There are two types of LPA: one for health and welfare decisions, and another for property and financial affairs. For the purposes of DSARs, and depending on the nature of the request, you must have the right one in place.

The Role of an Attorney in DSARs

When an individual has appointed an attorney through an LPA, the attorney can act on their behalf in making DSARs. This is particularly important for individuals who may be incapacitated or otherwise unable to manage their own affairs. The attorney effectively steps into the shoes of the data subject, making requests for access to personal data held by various organisations.

Legal Basis for Attorneys Making DSARs

Under the UK GDPR, a DSAR can be made by the data subject or by a person authorised to act on their behalf. An attorney appointed under an LPA is recognised as having the legal authority to make such requests. This means that organisations must treat a DSAR from an attorney in the same way they would treat a request from the data subject themselves. So for example, with an LPA in place in respect of health, the attorney can make DSARs to the NHS. It must still be in respect of relevant information however and care is needed in a disclosure not to disclose health information not strictly relevant to the case in discussion.

Practical Implications for Organisations

So your organisation must be prepared to handle DSARs made by attorneys. This involves verifying the attorney’s authority, which typically requires a copy of the LPA document. Once verified, you must provide the requested data within the same timeframe and under the same conditions as if the request were made by the data subject.

Challenges and Considerations

One of the challenges organisations may face is ensuring that they are dealing with a legitimate attorney. This requires careful verification of the LPA document and, in some cases, may involve additional checks to confirm the attorney’s identity and authority. Additionally, organisations must be mindful of the sensitive nature of the data being requested and ensure that it is handled securely and in compliance with GDPR principles.

Benefits for Data Subjects

For data subjects, having an LPA in place provides peace of mind that their rights under GDPR can be exercised even if they are unable to do so themselves. This is particularly important for individuals with deteriorating health or those who may face future incapacity. It ensures continuity in the management of their personal data and upholds their rights to privacy and data protection.

Conclusion

The intersection of LPAs and DSARs under GDPR highlights the importance of planning for future incapacity. By appointing an attorney, individuals can ensure that their data protection rights are maintained, and organisations can continue to comply with GDPR requirements. For both data subjects and organizations, understanding the role of LPAs in the context of DSARs is crucial for effective data management and protection.

Addendum: there's also a helpful service from the UK government on how to use an LPA.

pragmatic advice and guidance to charities and businesses on GDPR, data protection and marketing compliance
contact-us
The Pumphouse, Forstal Road, Aylesford, Kent, ME20 7AU

Effective Date: 04-Aug-2024
Last Updated: 04-Aug-2024

What are cookies?

This Cookie Policy explains what cookies are and how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used, and how to manage the cookie settings.

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

How do we use cookies?

As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

Types of Cookies we use

Manage cookie preferences

You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.

Chrome: https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using any other web browser, please visit your browser’s official support documents.