Key changes introduced by Information Commissioner’s Office (ICO) on handling subject access requests

A clearer picture on handling subject access requests

On 21 October 2020, the Information Commissioner’s Office (ICO) published its long-awaited detailed guidance on subject access requests (SARs). The updated guidance provides some much-needed clarity and detail, helping to ease the burden of dealing with SARs, which can often be very complicated.

To read our earlier article about the draft guidance issued as part of the consultation click here

In this article, we look at some of the key changes introduced by the new guidance, and how this will impact schools.

Stop the clock!

In its draft guidance, one of the most controversial changes that the ICO proposed to introduce was that the time limit for complying with a SAR would start to run from the date of receipt, even if clarification of the request was required.

The updated guidance offers a new compromise: where the controller processes a large amount of information about the individual and clarification of the SAR is genuinely needed in order to carry out reasonable searches, the time limit for responding will be paused until the necessary clarification is received (referred to as ‘stopping the clock’).

The ability to stop the clock is a welcome change for schools dealing with unclear requests and unresponsive requestors, and will help avoid unnecessary searches and dwindling timeframes.

Manifestly excessive requests

As before, schools can refuse to comply with a SAR if it is manifestly unfounded or excessive. The updated guidance has not changed the position in relation to such requests but further detail around the meaning of “manifestly excessive” has been provided.

In arguing that a request is manifestly excessive, schools should base their assessment on whether the “request is proportionate when balanced with the burden or costs involved in dealing with the request”, taking all of the relevant circumstances into account. The relevant circumstances will include:

• the nature of the information requested;
• the context of the request, and the relationship with the requestor;
• whether a refusal to comply with the SAR will cause substantive damage to the requestor;
• available resources;
• repetition of previous requests; or
• whether the request overlaps with other requests.

These factors offer greater scope to argue that a request is excessive, however schools must ensure that there is a “clearly or obviously unreasonable” quality to the request and must be able to demonstrate strong justification for refusing to comply on this basis.

The position on charging

Another notable amendment to the guidance is the expansion of factors that an organisation may consider when deciding whether to charge a fee for complying with a request. A fee can only be charged in specific circumstances: where a request is manifestly unfounded or excessive or an individual requests further copies of their data following a request.

The updated guidance confirms that when calculating a reasonable fee, organisations may take into account the administrative costs incurred of:

• assessing whether or not the organisation is processing the data subject’s personal data;
• locating, retrieving and extracting the information;
• providing a copy of the information; and
• communicating the response to the data subject.

Further, the guidance confirms that organisations may charge for the following:

• transferring the information to the requestor;
• equipment and supplies; and
• staff time (based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate).

Any costs must be clearly explained to the requestor when requesting a fee, and this new guidance should help schools calculate the fee and justify charging for particular items.

Further changes of particular interest to schools

Other noteworthy changes of particular interest to schools include:

• SARs made on behalf of children: The ICO has confirmed the children should not be considered competent if it is evident that the child is acting against their own best interests (such as where there are reasonable concerns that the requestor is pressuring the child to make the SAR).
• Requests in the normal course of business: Further illustrative examples have been provided as to when it is reasonable to handle a request outside the SAR regime, for example, where an employee asks for a copy of their payslips or employment contract.
• Conducting searches: The updated guidance clarifies the position on identifying whether information in emails is personal data, confirming that individuals are not entitled to a copy of the email just because it was sent to them (if the email only contains their name and email address and contains no other personal data). This is particularly useful for schools to help refine their searches when dealing with large SARs.

If your school requires advice or training on dealing with SARs or you have any questions around this topic, a member of Stone King’s Information Law Team would be very happy to assist, please see our Information Law services for schools.