The Information Commissioner's Office (ICO) has released their latest guidance on data subject access requests, or DSARs. Guidance on DSARs has already been in the public domain for some time – so what does this latest revision add?
Well, the law is unchanged, but the ICO have included new and helpful guidance following from their 2019 consultation, particularly on "stopping the clock", manifestly excessive requests and charging a fee. The ICO has also confirmed that they intend to release additional guidance which will focus on data subject access requests for smaller businesses, which would be a welcome addition; as not every organisation has the resources or technical know-how to effectively deal with a subject access request within 1 month.
"Stop the clock"
In 2019, the ICO published guidance that the month timeframe to respond to a DSAR started on the day the DSAR was received; meaning that data controllers who sought additional information from the subject would effectively be eating into their time to respond to a request.
The ICO has now confirmed that an organisation does have a right to "stop the clock" where they process a large amount of information about an individual. Data controllers can now ask subjects to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until that clarification is received – effectively "stopping the clock" for the time to respond.
However, data controllers must only "stop the clock" where it is (1) genuinely required in order to respond to a DSAR, and (2) the data controller processes a large amount of information about the individual.
The ICO recognises this assessment is subjective, and also identifies that it is likely to relate to an organisation's specific resources – naming small businesses without the resources to easily address a DSAR as candidates who may need to make use of this exemption. On this basis, large employers who do have the resources to address DSARs as a matter of course, should work on the presumption that the benefit of "stopping the clock" is unlikely to apply.
The ICO guidance gives examples of the information that a data controller could ask for clarification on.
Manifestly excessive requests
Data controllers are able to refuse to comply with a DSAR where the request is manifestly unfounded or excessive. The latest guidance provides further information to identify what the ICO considers to meet these standards.
The guidance now recognises that the data controller can decide whether a request is manifestly excessive, by asking whether the request is proportionate when compared to the burden or costs of dealing with the request.
The ICO also suggests that a request would not be manifestly excessive purely in relation to the volume of data requested, and that data controllers should consider asking for additional clarification rather than refusing to comply. Any justifications for refusing to comply must be particularly robust to be compliant.
Charging a fee
A data controller can charge a fee for addressing manifestly unfounded or excessive requests, rather than refusing to respond altogether. The new guidance clarifies that this fee can relate to the administrative costs of complying with a request, including the time taken to assess whether the information is being processed by the controller, the time taken to locate, receive and extract information, and the cost of providing a copy or communicating with the data subject.
In the guidance, the ICO suggests that a data controller should ensure consistency when charging fees. Should the individual complain to the ICO, the data controller must be in a position to explain and justify the costs charged.
Notably, data controllers do not need to comply with the request until they have received the fee – but as this would relate to manifestly unfounded or excessive requests, it may be more likely that a data controller has refused to comply altogether.
Extension of time
The new guidance has also confirmed that the complexity of a DSAR (in order to justify an extension of time) would be assessed by reference to particular factors, such as the requirement for specialist legal advice.
What does this mean for employers?
Overall, the guidance provides helpful clarity for employers on the practical aspects of complying with the law when responding to employee DSARs. We also now know that specific guidance will follow for smaller employers.
Employers should bear in mind:
The ICO will assess their ability to respond to a DSAR according to their resources – so larger employers should be wary of relying on clarification requests to "stop the clock".
If an employee's subject access request is disproportionate to the costs or burden involved, it may be manifestly excessive – but employers should still ask for clarification before refusing to comply.
Whether a request is manifestly unfounded will depend on the facts of the case – including the context of the employer/employee relationship.
If employers do want to charge a fee to comply with a manifestly excessive or unfounded request, they should identify consistent criteria and reasonable rates to be charged.
Extensions of time for an employer to respond to a subject access request can be granted if specialist legal advice is required.
This guidance is particularly useful for employers who are seeing a rise in contentious DSARs as part of the increased employment litigation, largely caused by the COVID-19 pandemic.
If you are an employer and you have any questions regarding the guidance or on data subject access requests in general, please contact David Lorimer or Rachel Rigg.
For more information on subject access requests, please see the articles by Fieldfisher's privacy team – including:
- This is Going to Hurt: Secret Diaries of the ICO (or, A Song of Enforcement and Fining)
- Dawson-Damer Subject Access case: Nowhere to hide when dealing with requests , and
- ICO guidance: a good re-SAR-lt for controllers?
Sign up to our email digest