New guidance on dealing with subject access requests
The Information Commissioner’s Office (ICO) has issued updated detailed guidance on dealing with subject access requests (SARs), the full update can be found here.
An individual makes a SAR when they ask an organisation for a copy of their personal data. The updated guidance clarifies three important issues:
When the time for responding to a SAR can be paused to seek clarification
The starting point is that an organisation must respond to a SAR without undue delay and in any event within one month of receiving the request or satisfactory identification information (if later).Under the guidance, organisations can ask an individual to clarify the information they want as part of their SAR if the organisation holds a large amount of information about the individual and it is not clear what information is being requested. The clock is then stopped whilst the organisation waits for clarification. However, organisations should note that the one month time limit is only paused by the number of days it takes an individual to clarify their request. It is not the case that the one month period starts to run from when the clarification is provided. Organisations should not therefore delay in seeking clarification of SARs.The section of the guidance on what to consider when responding to a SAR has been substantially updated and includes examples of how to deal with the initial stages of a SAR and the relevant time limits.
What is meant by a ‘manifestly excessive’ SAR
Under data protection law, if a SAR is manifestly excessive, an organisation can charge a reasonable fee for dealing with the SAR or refuse to deal with it.The guidance says that in order to assess whether a SAR is manifestly excessive, an organisation should consider whether it is ‘clearly or obviously’ unreasonable. An organisation should take into account all the circumstances of the SAR and assess whether it is proportionate when balanced with the burden or costs involved in responding to the SAR.
What an organisation can charge for dealing with manifestly excessive or unfounded SARs or repeated SARs
The guidance says that an organisation can include in their charges the costs of staff time (at a reasonable rate), copying, printing, postage and any other costs in transferring the information to the individual as well as the cost of equipment and supplies such as envelopes or USB devices.
The ICO’s guidance has also been changed and updated in other areas. If you are responsible for data protection in your organisation, it is essential reading.