ICO publishes new detailed Data Subject Access Request guidance
How far does the new guidance assist with the some of the more challenging aspects of data subject access requests (DSARs)?
The key takeaway
In our connected world, the ICO sees it as vital that people have the right to be able to find out what’s happening to their information. The new guidance helps businesses respond to these requests by explaining (amongst other clarification): (i) when the clock can be stopped for clarification; (ii) what constitutes a manifestly excessive request; and (iii) when a fee can be charged for excessive, unfounded or repeat requests.
DSARs provide individuals with the right to access and receive a copy of their personal data, and other supplementary information. Given the vast amounts of data now stored as a result of the shift to digital working, compliance with such a request can place a large administrative and financial burden on all data controllers. The Information Commissioner’s Office (ICO) has recently published its new “right of access detailed guidance” (Guidance), designed to provided clarity around some issues which data controllers frequently come up against.
The Guidance helpfully indicates the approach that the ICO will take in assessing compliance with a DSAR and the key factors that should be considered by organisations when complying:
An organisation may extend the time for compliance with a DSAR by an additional two months where a request is particularly “complex”. The Guidance specifies that complexity is fact-specific and will be judged on a case-by-case basis but aspects which the guidance indicates will be considered are:
- the level of technical difficulty in retrieving the data
- an especially large volume of data (although this in itself is not an indication of complexity)
- where confidentiality considerations are at play
- where specialist legal advice must be sought (in circumstances where this is not a regular occurrence).
Where a request is non-GDPR related it is unlikely that it will justify an extension of time. Where an extension is justified, the data controller must inform the data subject why the extra time is required. A data controller should be cautious in exercising this right and can expect significantly higher levels of scrutiny from the DSAR requesting party and complaints to the ICO where they feel this has not been exercised properly.
2. Stopping the clock
This timeline for response can be paused and the clock “stopped” where: (i) the data controller legitimately requires clarification from the requesting individual; (ii) the data controller needs to verify the identity of the requester; or (iii) the data controller requires the payment of a fee (see below). The ICO makes it clear that these reasons must not be used as a delaying tactic; data controllers will be expected to contact the data subject promptly in order to clarify any points, keeping a record of any such discussions, and must be able to justify this course of action to the ICO if asked.
3. Charging a fee
The DPA 2018 permits data controllers to charge a “reasonable fee” to cover the administrative costs of complying with a request eg postage, copying, hardware and staff time under specific circumstances, for example, where a request is manifestly unfounded or excessive, or in cases where additional copies are requested. While there is no limit to the fees under the guidance, controllers who choose to charge should ensure that they have a clear and readily available set of criteria that explains the circumstances under which a fee will be charged, the level of fee, and how payment is taken. They should be prepared to share this with the ICO on request.
4. Reasonable search
Organisations are only expected to “make reasonable efforts to find and retrieve the requested information” when complying with a DSA. The ICO will take into account the circumstances of the request, the difficulty in finding the information requested, and the fundamental rights of the data subject to access.
While controllers should be thorough and must ensure that they have appropriate systems in place to enable them to conduct an efficient search for requested data, they are not required to leave no stone unturned in complying. The burden of proof remains with the data controller to justify that a search would be unreasonable or disproportionate.
5. Refusal to comply with a request
Although the new guidance confirms that the right to make a DSAR is “purpose blind”, refusal to comply with a request may be appropriate in circumstances where the request is manifestly unfounded or manifestly excessive. Where the data subject indicates no intention to exercise their rights of access, where the request is clearly malicious and designed as a means of harassment, or where an individual targets a particular employee, the guidance indicates that this would be manifestly unfounded. Regarding a request being manifestly excessive, the guidance indicates that this will be the case where a request is clearly obviously unreasonable eg the request is disproportionate when balanced against the cost of compliance.Why is this important?
The above points are not exhaustive - the Guidance provides plenty of information and is designed to bring some much-needed clarity to the problematic field of DSAR requests, shedding light on the obligations of a data controller in receipt of a request, while also highlighting the rights of such an organisation to refuse to comply with a request or to charge a fee. Given the time and cost consequences of DSARs, the Guidance should become a key part of your DSAR response planning.
Any practical tips?
Where a data controller receives a DSAR that is likely to require a vast amount of data and manpower, requesting clarification of the request and, where appropriate, flagging that it is considered to be “manifestly unfounded” or “manifestly excessive” may be a good place to start. Beware that a data controller must be able and prepared to justify this position.
DSARs continue to prove a real challenge for most businesses whenever they land, not least given the relatively tight turnaround from receipt of a request to response. While the Guidance helps, of course it doesn’t remove the underlying challenge, which is to ensure that your internal systems are streamlined enough to search and extract personal data as efficiently as possible in the first place. Time spent lining up your systems in advance is time well spent indeed, and will help ensure your compliance budgets aren’t whittled away by DSARs in a reactive, rather than proactive, way.