Subject Access Requests – new guidance from the ICO
If your heart sinks when you receive a data subject access request (SAR) you aren’t alone, especially if it’s from a long serving employee who is asking for every piece of data and the kitchen sink! SARs can be a real challenge for employers and are often used as a weapon leading up to litigation. Until recently there has been very limited guidance, making responding to a request difficult and time-consuming. The obligations on organisations are large, with little wriggle room. However, new guidance from the ICO provides a glimmer of hope and a little more certainty for those tasked with responding to requests.
In October 2020, following consultation, the ICO published updated guidance on responding to SARs. Key issues clarified in the guidance included:
- Determining when a SAR is manifestly unfounded (and so may not need to be responded to);
- Determining when a SAR is manifestly excessive (and so may not need to be responded to);
- Stopping the clock for clarification – in some circumstances an organisation can now ask the individual making the SAR to clarify their request, and “stop the clock” until clarification is received;
- Providing examples of when a request will be “complex”, allowing the organisation to extend the time for responding three months;
- Costs which can be included when charging a reasonable fee for excessive, unfounded or repeat SARs.
We explain some of the key points in relation to these issues below.
Rejecting a SAR
A SAR can be rejected if the request is either:
- manifestly unfounded; or
- manifestly excessive.
What is meant by manifestly unfounded?
The new ICO guidance states that a request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual states (or clearly shows by their actions) that they intend to cause disruption or makes unsubstantiated accusations which are clearly prompted by malice.
This new guidance leaves some questions unanswered. For example, if an employee raises a SAR at the same time as sending a without prejudice letter requesting settlement of their claims, can the employer argue that this shows that the SAR is unfounded? The answer will depend on the facts at the time, and potentially the wording of any correspondence. Whatever the case, we recommend treading with caution and seeking advice as the consequences of getting it wrong could be severe.
What about manifestly excessive?
A request will be manifestly excessive if it is clearly or obviously unreasonable. However, it is not enough to simply call any large request excessive. The test of reasonableness will need to take into account all the circumstances of the request, including the nature of the requested information, the context of the request, the organisation’s resources, and the likely damage to be caused if the request is refused.
How do I go about rejecting the SAR?
If you refuse to comply with a request, you must inform the individual of:
- the reasons why;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through the courts.
An alternative to a complete refusal to comply could be to charge a fee for responding, as this may be less likely to incur the wrath of the ICO (see below).
What costs can be charged?
Usually, no fee can be demanded for responding to a SAR However, the guidance has confirmed that organisations can charge a ’reasonable fee’ for the administrative costs of complying with a request if:
- it is manifestly unfounded or excessive (see above); or
- an individual requests further copies of their data following a request.
The controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices. Again, the key word is “reasonable”, so be careful not to go too far.
Clarifying the request and stopping the clock
If you process a large amount of information about an individual, and their SAR is broad, you may ask them to specify the information or processing activities their request relates to before responding to the request. The guidance now allows the time limit for responding to the request to be paused until clarification is received, although the organisation should supply any of the supplementary information it can do within one month.
This will come as a relief to organisations as it will help to relieve some of the pressure in the case of very large requests. However, the ICO is clear that clarification should not be sought on a blanket basis. It should only be sought if it is genuinely required in order to respond to a SAR; and the organisation processes a large amount of information about the individual.
This means that if an employee submits a request, and that employee has only been with the organisation a few months, it is unlikely that you will process a large amount of information about that employee. As such, it may not be appropriate to ask for clarification, even if they have submitted a wide ranging request. On the other hand, a request an employee who has been with the organisation for years, with huge amounts of data on file, may well warrant clarification, and pausing the clock.
Even if the clock is stopped, the guidance states that any supplementary information which can provided within the month should be provided. For example, a general confirmation that personal data is held about the individual and details of:
- the individual’s right to request rectification, erasure or restriction, or to object to processing; and
- the individual’s right to lodge a complaint with the ICO or another supervisory authority.
If this information is contained in the organisation’s privacy notice, it would be sufficient to send this to the individual.
What if the individual does not clarify their request?
If an individual responds to the request for clarification, but does not provide any additional information, an organisation still has an obligation to reply to the SAR, and should make reasonable searches based on the initial information provided by the individual (the clock will restart once the individual’s response is received). .
However, if the individual does not respond at all, the DSAR can be “closed” after a reasonable period of time.
When can you extend the time limit for responding?
All SARs need to be responded to within one month of receipt, unless the organisation has received a number of requests from the individual (for example, if an individual has made one or more SARs, a request for erasure and a request for data portability simultaneously) or if the request is “complex”.
Organisations can choose to extend the time for responding to complex requests for up to a total of three months from the date of the initial SAR. However, they must inform the individual of the extension within one month of receipt of the request.
Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another – the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.
The ICO guidance sets out examples of factors that may add to the complexity of a request, although makes it clear that each case must be assessed on its own circumstances:
- Technical difficulties in retrieving the information – for example if data is electronically archived.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice. If you routinely obtain legal advice, it is unlikely to be complex.
- Searching large volumes of unstructured manual records (only applicable to public authorities).
Requests that involve a large volume of information may add to the complexity of a request. However, a request is not complex solely because the individual requests a large amount of information.
While it is tempting, our advice would be to ensure that organisations steer away from calling every request complex as this will undermine the argument.
If you need any assistance in deciphering the new guidance from the ICO, or any queries regarding responding to specific SARs, Mitchell Law has expertise in this area and can assist you. Please do get in touch.