Information Commissioner's Office

Updated SAR guidance from the ICO

October 30th, 2020 Posted in Data Protection

On 21 October 2020, the Information Commissioners Office (the “ICO”) published updated guidance on the right of access, commonly known as “subject access requests” (SARs).

Under data protection legislation, individuals have a right to access and receive a copy of their personal data. The new guidance, intended for data protection officers and those with specific data protection responsibilities, aims to clarify and simplify key elements of the SARs process.

The updated subject access guidance follows a consultation that began in December last year and the changes appear to have tipped the balance in favour of organisations responding to requests (data controllers), whereas previously the ICO’s guidance (and feedback we received from ICO caseworkers) was more in favour of data subjects.

Key takeaways

Key takeaways from the ICO’s new subject access guidance include the following:

Stopping the clock

Organisations can now ‘stop the clock’ whilst they are waiting for the requestor to clarify their request. This is a fundamental change as previously the time limit to respond would not have been paused whilst organisations waited for information or clarification from requestors. This significant development will provide organisations with increased time to respond to requests where they make genuine requests for further information to assist them in responding to a SAR.

Identifying manifestly excessive or unfounded SARs

The definition of what constitutes a ‘manifestly excessive’ request has been broadened by the ICO. The guidance sets out the type of circumstances when a request will be manifestly excessive including the considerations organisations should take into account when deciding if a request is manifestly unfounded or excessive. This will assist organisations when they are trying to determine whether a request can be declined which is rarely a straightforward task.

Charging an administrative fee

In most cases, you still cannot charge a fee to comply with a SAR. However, the ICO has clarified what organisations should consider when charging an administrative fee for manifestly unfounded or excessive requests. This enhanced guidance provides organisations with clarity on the costs they should take into account when determining what fee they should charge an individual.

Additional information added

In addition to the above, the ICO has made numerous other changes and added additional content to its existing guidance. For example, there is now detailed guidance on how organisations should prepare to respond to SARs and enhanced guidance on how to locate and retrieve the information that has to be submitted in response to a SAR.

Although it appears that the balance has been tipped in favour of organisations responding to SARs, in a recent blog, the ICO emphasises the importance of the right of access, describing it as a “cornerstone of data protection law”. As such, organisations must continue to apply best endeavours when responding to SARs to ensure they can demonstrate their compliance with the law.

What next?

Organisations will need to review your policies and procedures and update them to reflect this new subject access guidance. Your in house data protection teams should monitor subject access case law as well. Cases typically turn on the specific facts but wider lessons should be learned from them. Recent cases of interest include Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University.

We can help

If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.


Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.