New guidance on Data Subject Access Requests released by the ICO
The Information Commissioner’s Office (ICO) has produced long-awaited, detailed guidance on how organisations should deal with data subject access requests (DSARs).
The guidance does not change the law but provides additional content and examples on a variety of aspects of DSARs to assist employers with the commercial reality of dealing with these often burdensome requests.
General guidance on complying with DSARs
A DSAR is a request from an individual (called a ‘data subject’) for a copy of their personal data. Employers must comply with DSARs received from an employee (unless any of the few exemptions applies) and most requests can, unfortunately, become a time-consuming and burdensome exercise.
The ICO guidance provides an overview of the general rules relating to DSARs, set out in data protection legislation. In broad terms:
- Individuals have the right to access and to receive a copy of their personal data as well as other supplementary information.
- In most cases you cannot charge a fee to deal with a request.
- You should respond to the request without delay and within one month of receipt of the request. You may extend this time limit by a further two months if the request is complex.
- You should perform a reasonable search for the information and any information should be provided in an accessible, secure format.
- You can only refuse to provide the information if an exemption or restriction applies or if the request is manifestly unfounded or excessive.
Preparing for a DSAR
Preparation is key to dealing with DSARs in the correct way, which is essential to maintaining trust and confidence with your current staff members, and avoid recourse for non-compliance.
Some key points to consider implementing within your organisation:
- Nominate specific people within the business who are responsible for dealing with rights of access requests;
- Train your workforce to recognise when a DSAR is being made and the correct procedure for dealing with them in a timely manner;
- Implement effective technical systems to deal with these requests quickly, securely and effectively;
- Introduce a policy for dealing with DSARs. This should also involve a mechanism to record requests that are received.
Key points from the ICO guidance
The ICO guidance seeks to clarify and add detail to some of the General Data Protection Regulation (GDPR) obligations including:
Stopping the Clock
The guidance contains examples of when it may be justifiable to stop the clock on the one month time limit for complying with a DSAR. The guidance provides that:
- You may stop or pause the time limit for responding where you need to clarify what information or activities the request relates to before responding.
- You cannot seek this clarification on a blanket basis. Clarification must be genuinely required in order to respond to a DSAR and the organisation must process a large amount of information about that individual.
- You should ensure the process of seeking and obtaining clarification is quick and easy for the individual; explain that the clock stops until the clarification has been provided by the individual.
What is a manifestly unfounded or excessive request?
Employers can refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive; until now, there has been little detail provided on what is meant by this exception.
In relation to an ‘unfounded’ request, the ICO guidance confirms that this may arise if the individual clearly has no intention to exercise their right of access (for example, agrees to withdraw it in return for money), or the request is malicious in intent and is being used to harass (for example, stating that they intend to cause disruption, or targeting a particular employee that they have a grudge against).
In relation to an ‘excessive’ request, the ICO guidance states that an organisation should consider whether it is ‘clearly or obviously unreasonable’ and whether the request is ‘proportionate when balanced with the burden or costs involved.’ Examples of things to consider include:
- The context and nature of the request being made;
- The resources you have available to deal with the request; and
- Whether the request repeats previous requests or overlaps with other requests.
The ICO warns that the inclusion of the word ‘manifestly’ in the legislation means there must be an obvious or clear quality to unfoundedness/excessiveness. Organisations should therefore have strong reasons to justify considering a request as manifestly unfounded or excessive.
When can a fee be charged?
In most cases, an organisation can no longer charge a fee for complying with a DSAR. However, a ‘reasonable fee’ can be charged to cover the administrative costs of complying with a manifestly unfounded or excessive request, or where an individual requests further copies of their data.
As such, as an alternative to refusing to comply with a manifestly unfounded or excessive request, you could charge a ‘reasonable fee’ for dealing with the request. The ICO guidance confirms that a ‘reasonable’ fee can include things such as:
- The cost of staff time;
- Equipment and supplies including discs, USB devices or envelopes.
If you have any questions about the content of this article, or you would like assistance or advice on complying with a DSAR from one of your candidates or employees, the Employment Team at Coffin Mew would be happy to help so please do get in touch.