Following its consultation, which concluded in February 2020, the Information Commission’s Office (ICO) has published its new guidance on Data Subject Access Requests (DSARs) under the General Data Protection Regulation 2018 (GDPR).
The new guidance is welcomed by employers as it brings clarity to some of the ‘grey’ areas that have persisted since the introduction of the Data Protection Act in 2018. It provides detail on three key points, all raised during the consultation, which are: (i) stopping the clock, (ii) what amounts to manifestly unfounded or excessive, and (iii) what is a reasonable fee to charge for a request.
- ‘Stopping the clock’
The ICO received extensive feedback during its consultation that, when an organisation seeks clarification from the individual regarding the scope of their DSAR, there is not sufficient time to reply within the deadline of 30 days. In response, the ICO has explained that organisations can ‘stop the clock’ by asking the individual to specify the information or activities their request relates to before responding to the request. This pauses the time to respond until the organisation receives clarification. The ICO has stressed that organisations should only seek clarification if it is genuinely needed to respond to a DSAR and a large amount of information is processed about the individual. Critically, organisations should not seek clarification on a blanket basis in a request to buy time.
By way of example, if an organisation receives a request on 14 May, they have until 14 June to reply (30 days). However, if the organisation asks for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the individual provides clarification on 18 May, the clock was stopped for three days and the original deadline is extended by three days i.e. 17 June.
- What amounts to manifestly unfounded or manifestly excessive?
The original ICO guidance provided that an organisation can refuse to comply with a DSAR if the request is manifestly unfounded or manifestly excessive. The new guidance provides clarity on what this essentially means in practice.
The guidance sets out that a DSAR may be manifestly unfounded if: (i) the individual has no intention to exercise their right of access, for example an individual makes a request, but then offers to withdraw it in return for some benefit, or (ii) the request is malicious in intent.
In order to determine if a DSAR is manifestly excessive, an organisation will need to consider whether it is clearly or obviously unreasonable. This should be based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. The guidance then goes on to list a number of factors to consider when deciding.
An organisation can refuse to comply with a request if it is manifestly unfounded or excessive. However, organisations need to be careful about applying these exceptions and, if they do, they need to document the decision carefully. Each DSAR must be considered in the context in which it is made.
- What is a reasonable fee to charge?
In most cases, organisations cannot charge a fee to comply with a DSAR. However, an organisation can charge a reasonable fee for the administrative costs of complying with the request if: (i) it is manifestly unfounded or excessive, or (ii) an individual requests further copies of their data following the request. When determining if a fee is reasonable, the new guidance explains that an organisation can consider the administrative costs of:
- assessing whether or not the organisation is processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the individual, including contacting them to inform them that the organisation holds the requested information (even if it is not providing it).
There can be substantial overlap between these activities and so, the ICO has reminded employers to charge a reasonable fee and to be careful not to ‘double-charge’ the individual. Any such fees should be charged in a “reasonable, proportionate and consistent manner” with unbiased criteria for charging fees, which should be made available on request.
The right of access is a fundamental right for individuals. Whilst a request can be expensive and a burden on organisations, the proper handling of requests is essential and the guidance is welcomed progress for employers to assist with this.
The ICO guidance can be found here.