Responding to subject access requests
Information Commissioner’s Office revises code of practice to help businesses responding to subject access requests involving disproportional effort
Responding to subject access requests (SARs) costs businesses time and money, but for most of the time are manageable. But what happens if a business is faced with a SAR that is likely to involve retrieving. collating and reviewing vast quantities of personal data. Does the business still have to respond fully to the SAR?
The short answer is yes, unless the business can rely on the ‘disproportionate effort’ exception in the Data Protection Act.
In response to recent court cases on the meaning of ‘disproportionate effort’, the Information Commissioner’s Office has revised its code of practice on handling SARs.
According to the revised guidance, it is no longer the case that the disproportionate effort exception can only be relied on by a business in the most exceptional cases.
The ICO advises that when responding to SARs, it expects businesses to “evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.”
So, difficulties that might crop up during the process of responding to the SAR, including difficulties in finding the requested information can be taken into account.
Whilst a business cannot require an individual to narrow the scope of their request, the ICO recognises that it is good practice for businesses to engage with the individual, “having an open conversation about the information they require” which might reduce the costs and effort.
The burden of showing that all reasonable steps have been taken to comply with the SAR and that it would be disproportionate in all the circumstances to do anything further rests with the business. This is really the nub of the problem – the business will have to be able to justify its decision not to comply fully with the SAR.
It is likely that it will still take a great deal of disproportionate effort to outweigh an individual’s access to their personal data, and businesses will need to appreciate that if they rely on the disproportionate effort exception, they may well face a complaint to the ICO and an argument about what is or is not disproportionate effort.
Also, even if a business can show that complying with a SAR would involve disproportionate effort it must still try to comply with the SAR in some other way, if the individual agrees.
Helpfully, the ICO says that if they receive a complaint from an individual, they may take into account a business’ readiness to engage with the individual and balance this against the benefit and importance of the information to them as well as taking into account the individual’s level of co-operation with the business throughout the process. So, if a business tries to engage with the individual but is flatly ignored, this should work in the business’s favour.
Ultimately, it will be a case of seeing how the application of the disproportionate effort exception pans out in the future. In the meantime, if a business is considering relying on the disproportionate effort exemption, it may be prudent to obtain legal advice on the strength of its position.