ICO issues new guidance on Subject Access Requests
At the end of October, the Information Commissioner’s Office (ICO) published new and detailed guidance on the right to access data and simplifying responses to subject access requests (commonly referred to as SARs).
The new guidance arose as a result of a consultation held at the end of 2019 to which there were many responses from organisations; one common factor was the need for more support and clarification around aspects of the law on data protection, particularly in relation to data controllers’ obligations when handling SAR responses.
The ICO responded by issuing more detailed guidance and we have set out the updated guidance on four of the most common points:
1. Stopping the clock for clarification
Previously, the guidance stated that seeking clarification as to the personal data being requested would not ‘stop the clock’ on the time limit for responding to SARs. This meant that the one-month statutory time period would continue to count down even if it was unclear what the data subject was requesting. Further, if clarification was sought but no response was received then the data controller was required to make reasonable attempts to comply with the request by the statutory deadline. The concern was that, where there is a genuine need for clarification, time would be lost in awaiting a response from the data subject whilst the clock continued to tick away and that the data controller would waste valuable resources in an attempt to comply with an unclear request.
As a result of these concerns, the new ICO position is that in certain circumstances the clock can be stopped whilst the data controller waits for the data subject to clarify their request.
If a large amount of information is processed about the individual, the data controller may (but is not obliged to) ask the data subject to be more specific about the information they are requesting before a response to the request is actioned. This clarification could request context or dates of the processing but cannot force an individual to narrow the scope of the request. The time limit for responding to the request is paused until clarification is received.
Clarification should only be sought if:
it is genuinely required in order to respond to a SAR; and
a large amount of information about the individual is processed.
2. Extending the time to respond
The GDPR states that a SAR must be responded to “without undue delay” and at the latest within one calendar month of receipt of the request or within one calendar month of receipt of:
any information requested to confirm the requester’s identity; or
a fee (only in certain limited circumstances).
The one-month time limit should be calculated from the day the request, fee or other requested information is received. If the corresponding day in the next calendar month falls on a non-working day (i.e. weekend or bank holiday) then the response falls due on the next working day.
This timeframe can be extended for a further two months if the request is:
a number of requests have been received from the data subject - for example, a SAR, request for erasure and request for data portability are received simultaneously.
If it is necessary to extend the time limit, the data controller must notify the data subject within one calendar month of the request that it is necessary for the time limit to be extended with an explanation as to the reasoning.
Whether a request is complex will depend on the specific circumstances of the case. Therefore, there must be consideration afforded to each SAR on a case-by-case basis. The following are examples of factors that the ICO considers may, in some circumstances, cause a request to be classed as complex:
Technical difficulties in retrieving the information.
Applying an exemption that involves large volumes of particularly sensitive information.
Clarifying potential issues around disclosing information about a child to a legal guardian.
Any specialist work involved in obtaining the information or communicating it in an intelligible form.
Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
Needing to obtain specialist legal advice.
Searching large volumes of unstructured manual records (this is only applicable to public authorities).
3. Manifestly unfounded or excessive requests
There has been confusion over the definition of these terms; therefore, the ICO has sought to lend clarification in the new guidance.
If a request is considered either ‘manifestly unfounded’ or ‘manifestly excessive’ then a data controller can refuse to comply.
A request may be considered ‘manifestly unfounded’ if the data subject clearly has no intention to exercise their right to access their personal data. However, it must be obvious that this is the case and it is not for the data controller to interpret meaning in a particular way. A clear example would be that the data subject makes the request but then offers to withdraw it in exchange for a benefit from the data controller.
A request may also be considered ‘manifestly unfounded’ if the data subject states that they intend to cause disruption, makes unsubstantiated malicious accusations, targets a particular employee or systematically sends regular requests with an intention to disrupt business.
To determine whether a request is ‘manifestly excessive’, consideration should be given to whether it is clearly or obviously unreasonable. This should be based on whether the request is proportionate when balanced with the burden or costs involved in dealing with it.
This will mean taking into account all the circumstances of the request, including:
the nature of the requested information;
the context of the request, and the relationship between the data controller and the individual;
whether a refusal to provide the information or even acknowledge if it is held may cause substantive damage to the data subject;
the resources available;
whether the request largely repeats previous requests, and a reasonable interval has not elapsed; or
whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).
A request is not excessive simply because the data subject requests a large amount of information as a request could be made more detailed to assist the data controller in locating the information.
Whether the data controller is considering whether a request may be manifestly unfounded or excessive, each request must be given serious consideration and there can be no ‘blanket policy’. The inclusion of the word ‘manifestly’ requires that the unfounded or excessive nature of the request must be clear and not subject to interpretation.
Generally, a fee cannot be charged for complying with a SAR.
For those relatively rare circumstances in which a fee can be charged, the ICO has updated what costs the data controller can take into account when charging an administrative fee.
The guidance states that a ’reasonable fee’ can be charged for the administrative costs of complying with a request if:
it is manifestly unfounded or excessive (and the data controller chooses to respond rather than refuse to comply as set out above); or
a data subject requests further copies of their data following a request.
The data controller should charge fees in a reasonable, proportionate and consistent manner. It is therefore best practice to establish an unbiased set of criteria for these fees, which can be made available upon request.
When determining a ‘reasonable fee’, the ICO states that the data controller can consider the administrative costs of:
assessing whether they are processing the information;
locating, retrieving and extracting the information;
providing a copy of the information; and
informing the data subject, including contacting them to let them know that the requested information is held (even if they are not providing the information).
As there may be substantial overlap across these activities, the fee charged must be reasonable and the individual should not be ‘double-charged’.
A reasonable fee may also include the costs of:
photocopying, printing, postage and any other costs involved in transferring the information to the individual;
equipment and supplies; and
The costs of staff time should be based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate.
If a fee is charged, the data controller does not have to comply with the request until the fee is received. However, the fee should be requested as soon as possible and, at the latest, within one calendar month of receiving the SAR.
The data subject should then be afforded a reasonable period of time to respond to the request for a fee. It is generally reasonable to close the request if a response is not received within one calendar month, although the data controller will need to take all circumstances into account when determining what is reasonable.
To read the full guidance, follow this link:
Leigh Payne, Solicitor at rradar