New ICO guidance on dealing with subject access requests
New guidance has been released by the Information Commissioner’s Office (ICO), concerning an individual’s right to ask an organisation whether or not they are using or storing their personal information and to request copies of their personal information – commonly known as subject access requests (SARs).
The detailed guidance focuses on how data protection officers and those responsible for data protection within an organisation should respond to SARs under the GDPR. The guidance contains valuable, practical advice and working examples. It covers how to recognise a SAR from an individual; how to locate and retrieve their personal data; and how to supply the information to that individual.
The changes follow a public consultation and provide clarity on key points which were raised, including:
- How to stop the time limit for responding to a SAR whilst waiting for clarification regarding the SAR
- What is a manifestly excessive SAR
- The fee that may be charged for a manifestly unfounded or a manifestly excessive SAR
Time limit for a SAR
Ordinarily a SAR has to be responded to ‘without undue delay’ and, at the latest, within one month of receipt of the SAR or, where applicable, receipt of the individual’s ID documentation (where the organisation has requested verification of the individual’s identity) or the fee payable by the individual (where a fee has been charged to the individual for a manifestly unfounded or a manifestly excessive SAR).
The time limit is calculated from receipt of the SAR (or ID documentation or fee) until the corresponding calendar date in the next month. If there is no corresponding date in the next month, the deadline for the response is the last day of the next month. For example, if the date of receipt is 30 January, the deadline would be 28 February (or 29 February in a leap year). If the corresponding date in the next month falls on a weekend or a public holiday, the deadline for the response is the next working day.
Time limit for a complex SAR
The time limit can be extended by a further two months, if the SAR is complex or an organisation has received a number of requests from the individual (this includes SARs and other data subject right requests, such as the right to erasure).
The new guidance gives the following examples of factors that may add to the complexity of a request:
- Technical difficulties in retrieving the information
- Applying an exemption that involves large volumes of sensitive information
- Clarifying potential issues of disclosure of information about a child to a legal guardian
- Any specialist work involved in obtaining or communicating the information
- Clarifying potential confidentiality issues of disclosure of sensitive medical information
- Needing to obtain specialist (not routine) legal advice
- Searching large volumes of unstructured manual records (only applicable to public authorities).
It’s important to be aware that although searching large volumes of information may add to the complexity of the SAR, this does not of itself make the request complex.
Stopping the clock
An organisation can ask for clarification on a SAR if clarification is genuinely required and if it processes a large amount of information about the individual. It is unlikely to be reasonable or necessary to ask for clarification if the organisation can obtain the information quickly and easily. Where it does ask for clarification, the time limit for responding to the request is stopped and resumes when clarification is received. This needs to be explained to the individual when the request for clarification is made. To calculate the time limit for the response, you need to work out when the response would normally be due (see above) and extend this by the number of days that the clock was stopped.
However, an organisation should still provide confirmation that it holds personal data about the individual, if that’s the case, and the supplementary information which it is obliged to give in response to the SAR within the one-month deadline. This is usually done by providing a link to or a copy of the organisation’s privacy notice.
Unfounded or excessive SARs
If a SAR is ‘manifestly unfounded’ or ‘manifestly excessive’, the organisation may refuse to comply, or charge a reasonable fee for the administrative costs of complying with it.
The guidance states that a SAR may be ‘manifestly unfounded’ if:
- The individual clearly has no desire to exercise their right of access, for example they offer to withdraw the SAR in return for some sort of benefit (monetary or otherwise) from the organisation
- The SAR “is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption”
However, where an individual genuinely wants to exercise their rights, it’s unlikely that the request is manifestly unfounded.
A SAR will be ‘manifestly excessive’ if it is clearly or obviously unreasonable. This is based on whether the request is proportionate when balanced with the burden or costs involved in dealing with it. Relevant factors include the nature of the requested information; the context of the request and the organisation’s relationship with the individual; the organisation’s resources; whether a refusal to comply will cause substantive damage to the individual; and whether the SAR largely repeats previous SARs and a reasonable interval hasn’t elapsed. When thinking about whether a reasonable interval has elapsed between SARs, the nature of the data and how often it is altered should be taken into account.
In each case, the word ‘manifestly’ means the unfoundedness or excessiveness must be obvious or clear, and the organisation must be able to strongly justify a finding of ‘manifestly unfounded’ or ‘manifestly excessive’. This is a high threshold.
The guidance gives some welcome clarification on how to determine a reasonable fee when dealing with a manifestly unfounded or excessive SAR. The organisation may take into account the administrative costs of assessing whether or not it is processing the individual’s personal data; of locating, retrieving and extracting the information; and of providing a copy of the information to the individual. However, no double charging is permitted. Specifically, a reasonable fee may include photocopying, printing and postage costs; the cost of transferring the information to the individual; the costs of envelopes or USB devices; and staff time, based on the estimated time it will take staff to comply with the request charged at a reasonable hourly rate. It’s good practice to establish an unbiased set of criteria for charging fees which explains an organisation’s standard charges and how it calculates the fee.
If you require more information, or need help with complying with a SAR, please get in touch with our data protection team.