Get in touch 0117 325 0526

Data protection: ICO Guidance on subject access requests

What do we already know?

We updated you in our January 2020 Newsletter Data Protection: ICO Data Hub & Subject Access Requests  that the Information Commissioner’s Office (ICO) had opened a consultation on its new, more comprehensive, draft guidance on dealing with subject access requests.

The right to make a subject access request, broadly, allows individuals to find out what personal data is held about them and to obtain a copy of that data.

What’s new?

The ICO has published new detailed guidance (available here) on responding to Data Subject Access Requests (DSARs) under the General Data Protection Regulation 2018 (GDPR).

The updated guidance provides more support and clarification on “some aspects of the law that aren’t so clear cut”. Key developments for employers responding to employee DSARs include:

1. ‘Stopping the clock’ when clarifying the scope of the DSAR: The new guidance confirms that an organisation can potentially stop the clock on the calendar month time limit for responding if clarification on the scope of the DSAR is required. However, this clarification request needs to be made “as quickly as possible“ and must be genuine, and only when the organisation processes a large amount of information about the individual. Organisations should not seek clarification on a blanket basis in an attempt to buy more time to deal with the request.

2. Defining “manifestly unfounded“ or “manifestly excessive“: The ICO’s original summary guidance on DSARs states that an organisation can refuse to comply with a DSAR if it is “manifestly unfounded“ or “manifestly excessive“. The new guidance explains further what these definitions mean in practice.

The guidance emphasises for each DSAR to be considered individually and warns organisations against applying a blanket policy. Organisations need to be prepared to justify why they consider a DSAR to be manifestly unfounded or excessive if challenged by the ICO.

3. Defining a “reasonable fee“: In the majority of cases, an organisation will not be able to charge a fee to comply with a DSAR. The summary and new detailed guidance, however, highlights that an organisation can charge a “reasonable fee“ for the administrative costs of complying if the DSAR is manifestly unfounded or excessive or the individual requests further copies of data following the DSAR.

The new guidance explains that an organisation should take into account the following when determining a reasonable fee:

The new guidance states that there could be overlap between the above activities and organisation should be careful not to double charge individuals. The guidance further defines that a reasonable fee may include costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, equipment and supplies and staff time spent on complying with the DSAR.

Share this...

Review Solicitiors