Detailed ICO Subject Access Request Guidance
The ICO published its hotly anticipated detailed ‘Right of Access’ guidance on 21st October, following a consultation which closed in February 2020. Does it help, or add to the complexity of handling access requests?
(For the sake of clarity, the Right of Access is commonly referred to as Data Subject Access Requests – DSAR/SAR).
First off, I’ll be diplomatic and say the ICO was being slightly optimistic by titling its accompanying blog, ‘Simplifying subject access requests new detailed SARs guidance’.
Simplifying isn’t a word I’d have chosen for 81 pages of detailed guidance – much of which rests on interpretation, careful assessment and justifiable decision-making.
SARs are often an area where the devil is in the detail and they can be a minefield for the initiated, let alone the uninitiated.
What are the key highlights of the guidance?
- ‘Stopping the clock’ is now permitted when you need to seek clarification. But seeking clarification shouldn’t be a blanket approach
- Examples are provided to help organisations assess when a request might be considered ‘manifestly unfounded’
- Some pointers are given for setting a ‘reasonable’ admin fee. This is only permitted when responding to manifestly unfounded or excessive requests, or when responding to follow up SARs.
I’ve taken a look at these in more detail.
‘Stopping the clock’
If you process ‘a large amount of information’ about someone, you may ask them to specify the information or activities their request relates to before you respond, but the regulatory guidance is that this should’t be your routine approach.
The ICO has confirmed the one calendar month for responding can be paused while you wait for the requestor to provide clarification. (In their draft they had suggested the clock didn’t stop).
You may choose to conduct a ‘reasonable’ search instead of seeking clarification and it is up to you to assess and justify what constitutes a ‘large amount of information’, considering the size of your organisation and resources.
The guidance states:
“It is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.
You can ask the requester to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely dates of when you processed it.
However, you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”
If you judge it necessary to seek clarification, you should make sure it’s quick and easy for the individual to respond, and you should let them know the clock will be paused and will resume once they respond.
Good communications with people submitting access requests can’t be underestimated, as highlighted in our article 10 DSAR tips from 10 DPOs.
I can foresee some scratching of heads here; what type of clarification can be sought? when is it reasonable to ask for this? what to do if someone fails to respond? how much should you chase up? and so on.
There is an exemption whereby you’re permitted to refuse to respond to a SAR (wholly or in part) if you judge it to be ‘manifestly unfounded’ or ‘excessive’.
This has been an area which has vexed many, and the ICO has attempted to clarify this by giving some examples, such as;
- Where there is no intention to exercise their right of access. This could be when the individual offers to withdraw their request in return for some kind of benefit.
- Where the request is malicious and is being used to harass or cause disruption. This could include a request which targets a particular employer based on a personal grudge, or where different requests are systematically sent as a part of a campaign.
The onus rests with you to be able to justify a decision that a request is manifestly unfounded. Also, be careful, it’s not enough to use this exemption simply because of the individual’s motive. An ex-employee on a fishing exercise because they are unhappy with being made redundant is highly unlikely to fall under ‘manifestly unfounded’.
The ICO guidance states:
“If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.”
The guidance also provides examples of what would be considered manifestly ‘excessive’. Such as requests which largely repeat previous requests without a reasonable interval.
‘Charging an admin fee’
As we know, the old £10 fee disappeared with GDPR, and the general rule is no fee should be charged. However, you can charge a ‘reasonable fee’ to cover administrative costs if:
- you’ve assessed the request to be manifestly unfounded or excessive
- the individual asks for further copies of their data following a request.
Many organisations are therefore left with (1) having to assess whether a request is manifestly unfounded, and (2) what would be reasonable fee.
The guidance tries to help organisations judge what criteria they should consider, by coming up with a reasonable fee for the costs of locating, retrieving and extracting the information, communicating the response and staff time.
The ICO says it’s good practice to establish an unbiased set of criteria for charging fees and that this should be explained to individuals.
I found the following paragraph in the guidance unnecessarily confusing;
“If you choose to charge a fee, you do not need to comply with the request until you have received the fee. However you should request the fee promptly and at the latest within one month of receiving the SAR. This means you must request the fee as soon as possible. You must not unnecessarily delay requesting it until you are nearing the end of the one month time limit.”
So, request the fee promptly and at the latest within one month of receiving the SAR, but don’t delay requesting it until you’re nearing the end of the one month time limit? (Hmmm…)
My advice? Request the fee promptly, and not when you’re nearing the end of the month time limit.
Is there a risk organisations are being given more leeway to refuse SARs?
Michael Bond, Group DPO at News UK, raises some concerns about the ICO’s approach;
“It appears to have capitulated under the weight of lobbying and produced something that could well have a chilling effect on this cornerstone of information rights. Clarification is always welcome but, in my view, it will make the entire subject access process more complex for organisations and individuals to understand and increase administrative burden.”
As I said, the ICO blog title ‘simplifying subject access requests’ isn’t a phrase I’d have used, for an area which can quickly become complex. So much rests on balanced decisions and being able to justify these.
There are places in the guidance which organisations may use to push back on requests (perhaps unfairly). On the other hand the guide is extensive and a useful resource, especially for organisations with less experience in handling SARs.
Remember it’s ‘guidance’ and you may decide you disagree, but if you do be sure to have a strong case for doing so.
A final tiny tip – I’d recommend downloading the Right of Access Guidance, as on the ICO website it can be tricky to search if you are looking for something specific. Also, be sure to check for updates.
Philippa Donn, October 2020
If you’d like support with handling SARs or other individual rights do get in touch and we can chat through how we can help.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.