Data protection: ICO Guidance on subject access requests

What do we already know?

We updated you in our January 2020 Newsletter Data Protection: ICO Data Hub & Subject Access Requests  that the Information Commissioner’s Office (ICO) had opened a consultation on its new, more comprehensive, draft guidance on dealing with subject access requests.

The right to make a subject access request, broadly, allows individuals to find out what personal data is held about them and to obtain a copy of that data.

What’s new?

The ICO has published new detailed guidance (available here) on responding to Data Subject Access Requests (DSARs) under the General Data Protection Regulation 2018 (GDPR).

The updated guidance provides more support and clarification on “some aspects of the law that aren’t so clear cut”. Key developments for employers responding to employee DSARs include:

1. ‘Stopping the clock’ when clarifying the scope of the DSAR: The new guidance confirms that an organisation can potentially stop the clock on the calendar month time limit for responding if clarification on the scope of the DSAR is required. However, this clarification request needs to be made “as quickly as possible“ and must be genuine, and only when the organisation processes a large amount of information about the individual. Organisations should not seek clarification on a blanket basis in an attempt to buy more time to deal with the request.

2. Defining “manifestly unfounded“ or “manifestly excessive“: The ICO’s original summary guidance on DSARs states that an organisation can refuse to comply with a DSAR if it is “manifestly unfounded“ or “manifestly excessive“. The new guidance explains further what these definitions mean in practice.

• “Manifestly unfounded“: where the individual clearly has no intention to exercise their right of access or the DSAR is intended to be malicious and is being used as a way of harassing the organisation, with no real purpose other than to cause disruption;
• “Manifestly excessive”: to determine whether a DSAR is manifestly excessive, an organisation will need to consider whether the DSAR is proportionate when balanced with the burden of costs involved in dealing with the request. All circumstances of the DSAR will need to be taken into account including: the nature of the requested information; the context of the DSAR and relationship between the individual and the organisation; whether a refusal to provide information or acknowledgment that the organisation holds it would cause substantive damage to the individual; the organisation’s available resources; whether the DSAR largely repeats previous requests and a reasonable interval has not elapsed; or whether it overlaps with other DSARs.

The guidance emphasises for each DSAR to be considered individually and warns organisations against applying a blanket policy. Organisations need to be prepared to justify why they consider a DSAR to be manifestly unfounded or excessive if challenged by the ICO.

3. Defining a “reasonable fee“: In the majority of cases, an organisation will not be able to charge a fee to comply with a DSAR. The summary and new detailed guidance, however, highlights that an organisation can charge a “reasonable fee“ for the administrative costs of complying if the DSAR is manifestly unfounded or excessive or the individual requests further copies of data following the DSAR.

The new guidance explains that an organisation should take into account the following when determining a reasonable fee:

• assessing whether or not the organisation is processing the information;
• locating, retrieving and extracting the information;
• providing a copy of the information; and
• communicating the response to the individual, including contacting them to inform them that the organisation holds the requested information (even if it is not providing it).

The new guidance states that there could be overlap between the above activities and organisation should be careful not to double charge individuals. The guidance further defines that a reasonable fee may include costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, equipment and supplies and staff time spent on complying with the DSAR.