Data Protection Network
CONTACT US
NEWSLETTER

Updated ICO Right of Access Guidance

Philippa Donn
January 2026

The ICO has refreshed its guidance on Data Subject Access Requests (DSARs), with the regulator using the traditional term ‘SARs’. It’s made clear this is to reflect amendments to existing law brought in by the Data (Use and Access) Act (DUAA).

This is all great, but the tricky bit is working out what’s actually changed from previous guidance. It’s not obvious whether only sections relating to DUAA provisions have been updated or whether there might be other more nuanced tweaks. What we do know is amendments under the DUAA aren’t dramatic, largely reflecting existing case law and previous ICO guidance concerning:

Searches
Organisations (controllers) are only required to conduct reasonable and proportionate searches for relevant information.

Time limits
The period organisations have to respond to requests begins when the organisation receives the request, proof of identity (if required) or a fee (if a request is judged to be manifestly unfounded or excessive).

Stopping the clock
When seeking clarification, the clock can be paused while waiting for an individual’s response.

Reasonable and proportionate searches

This is a particularly difficult area for organisations to navigate. What is ‘reasonable and proportionate’ in practice? How do we justify our searches would be unreasonable and disproportionate? I’d secretly hoped for some nice clear examples, but my hopes have been dashed!

The section What efforts do we need to find information? remains but has been tweaked. These might seem a tad technical, but here are a few points I’ve spotted:

The line “UK GDPR places a high expectation on you to provide information in response to a SAR” has been removed.

The updated guidance states: “You must make a reasonable and proportionate search to respond to a SAR. This means that you must make reasonable efforts to find and retrieve the requested information.”

The following line remains the same “However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.”

When determining whether searches may be unreasonable or disproportionate, previous guidance said we should consider the circumstances of the request, any difficulties involved in finding the information, and the fundamental right of access. Alongside these, the updated guidance adds we can also consider “the volume of information you may need to search in order to respond”. This is a useful clarification which may prove helpful when you’re faced with a significantly large amount of information.

The line “the burden of proof is on you to be able to justify why a search is unreasonable or disproportionate” is replaced with; “You must be able to show why a search is unreasonable or disproportionate.”

The updated guidance still tells us; “Even where searching for certain information may be unreasonable or disproportionate, you should still search for any other information within the scope of a request”, but it clarifies; “You may ask the person for further information to help you find the information they have requested.”

Time limits

Previous guidance already told us the timescale for responding doesn’t start until we’ve received proof of identity, where deemed necessary to ask for this. The ICO makes it clear ID documents must be requested as soon as possible. Here are some extracts from the refreshed guidance:

The timescale for responding to a SAR does not begin until you have received the requested information. However, it’s important to avoid delays. Therefore, you should request ID documents as soon as possible.

If the requested ID information is not sufficient and you need to take further steps to verify the person’s identity, you can do so. The timescale for responding to the SAR resumes once you have completed the verification. However, further requests for verification are only likely to be necessary in exceptional circumstances.

See – Can We Ask for ID?

Stopping the clock to clarify

If you follow existing guidance, you’ll already be pausing the clock when contacting the individual to seeking clarification. The updated guidance continues to stress we shouldn’t take a blanket approach to seeking clarification, and we should be able to justify why we’re seeking more information. Here are a some ICO points to bear in mind:

If you do ask for clarification, the time limit pauses on the day you request clarification and resumes on the day after you receive it. This is referred to as ‘stopping the clock’.

The clock only stops if you are seeking clarification about the information requested. It does not apply if you ask for clarification on any other matter — for example, the format of the response.

You should ask for clarification as soon as possible after receiving the SAR. This will enable you to search for the information the person wants at the earliest possible stage and ensure that you have enough time to respond.

If it only becomes apparent after starting a search that you need further information to respond to the SAR, you should be able to explain why it was not possible to request clarification earlier. You should record your reasons. If you ask for clarification and receive it on the same day, the clock does not stop. You should calculate any extension to the time limit in terms of days, not hours.

If you need to request clarification and proof of ID, you should do both as soon as possible. It’s unreasonable to wait until the person gives clarification before asking for ID, unless there is a risk of disclosing

The guidance tells us to calculate the date when the response would normally be due. Then, if we’ve requested clarification, we can extend this time limit by the number of days we’ve stopped the clock.

See – Can We Clarify A Request?

The previous guidance was well over 100 pages long and the updated guidance is 124 pages. The length reflects how challenging and nuanced requests can be to fulfil. I’d encourage anyone involved in responding to requests to take time to read the guidance and adjust their internal procedures as necessary.

None of this distracts from my feeling organisations are facing a world in which DSARs are increasingly being weaponised, hugely resource intensive to fulfil and seemingly often little of meaningful value to the individual. I wish changes to the law had gone further, as I wrote here: Why the Right of Access is broken.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.
Data Protection Network