Updated SAR guidance from the ICO
On 21 October 2020, the Information Commissioners Office (the “ICO”) published updated guidance on the right of access, commonly known as “subject access requests” (SARs).
Under data protection legislation, individuals have a right to access and receive a copy of their personal data. The new guidance, intended for data protection officers and those with specific data protection responsibilities, aims to clarify and simplify key elements of the SARs process.
The updated subject access guidance follows a consultation that began in December last year and the changes appear to have tipped the balance in favour of organisations responding to requests (data controllers), whereas previously the ICO’s guidance (and feedback we received from ICO caseworkers) was more in favour of data subjects.
Key takeaways
Key takeaways from the ICO’s new subject access guidance include the following:
Stopping the clock
Organisations can now ‘stop the clock’ whilst they are waiting for the requestor to clarify their request. This is a fundamental change as previously the time limit to respond would not have been paused whilst organisations waited for information or clarification from requestors. This significant development will provide organisations with increased time to respond to requests where they make genuine requests for further information to assist them in responding to a SAR.
Identifying manifestly excessive or unfounded SARs
The definition of what constitutes a ‘manifestly excessive’ request has been broadened by the ICO. The guidance sets out the type of circumstances when a request will be manifestly excessive including the considerations organisations should take into account when deciding if a request is manifestly unfounded or excessive. This will assist organisations when they are trying to determine whether a request can be declined which is rarely a straightforward task.
Charging an administrative fee
In most cases, you still cannot charge a fee to comply with a SAR. However, the ICO has clarified what organisations should consider when charging an administrative fee for manifestly unfounded or excessive requests. This enhanced guidance provides organisations with clarity on the costs they should take into account when determining what fee they should charge an individual.
Additional information added
In addition to the above, the ICO has made numerous other changes and added additional content to its existing guidance. For example, there is now detailed guidance on how organisations should prepare to respond to SARs and enhanced guidance on how to locate and retrieve the information that has to be submitted in response to a SAR.
Although it appears that the balance has been tipped in favour of organisations responding to SARs, in a recent blog, the ICO emphasises the importance of the right of access, describing it as a “cornerstone of data protection law”. As such, organisations must continue to apply best endeavours when responding to SARs to ensure they can demonstrate their compliance with the law.
What next?
Organisations will need to review your policies and procedures and update them to reflect this new subject access guidance. Your in house data protection teams should monitor subject access case law as well. Cases typically turn on the specific facts but wider lessons should be learned from them. Recent cases of interest include Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University.
We can help
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.
