Now more than ever, it is important for individuals to understand how they can access their personal data and for organisations to understand what they must do in this regard. More and more people are becoming aware of their right to make a subject access request (SAR) and such right of access is fundamental under data protection law.
In a world of social media and online reviews, it is essential for organisations to understand how to deal with SARs effectively. Particularly, where data protection is being brought to the fore by the dawn of track and trace and increasing public awareness of personal data sharing.
Demonstrating good SAR compliance promotes confidence and trust in that organisation. Conversely, a badly handled SAR can be detrimental to an organisation’s reputation and can erode consumer confidence.
The ‘Right of Access Detailed Guidance’ which the Information Commissioner's Office (ICO) published recently is intended to help organisations to correctly and efficiently handle the SARs.
The message from the ICO is that it has listened to organisations and their feedback. In response to its initial consultation in December 2019, the ICO has published this detailed guidance and has provided three key areas of clarification:
- Stopping the clock – Organisations were finding that seeking clarification on requests often did not give them enough time to respond to individuals. Therefore, the guidance clarifies that in some circumstances, the clock can be stopped whilst organisations are waiting for the requester to provide clarification. Such circumstances are:
- where such clarification is genuinely required in order to respond to a SAR; and
- the organisation process a large amount of information about the individual (and it is not clear what information the individual is requesting).
- Manifestly excessive requests – The ICO has provided additional guidance to help organisations understand what is meant by a manifestly excessive request. Under the guidance manifestly excessive means if a request “is clearly or obviously unreasonable” (taking into account factors such as whether it repeats or overlaps with other requests). A request will not necessarily be excessive just because a large amount of information has been requested. Ultimately, organisations must have demonstrable justifications for why they consider a request to be excessive.
- Charging a fee for excessive, unfounded or repeat requests – The ICO has updated what organisations can take into account when charging a reasonable fee for responding to manifestly unfounded or excessive requests. This includes photocopying, printing, postage and any other costs involved in transferring the information to the individual, as well as the costs of equipment and supplies and the time required by staff to provide a response.
The ICO has also made other changes and added additional content to the version of the guidance that it published for consultation. The guidance also specifically addresses other key areas such as third party service providers making requests on behalf of individuals.
The ICO is planning to provide further resources around SARs (including a simplified guide for small businesses which will set out the key points to note from the detailed guidance).
In the meantime, please feel free to contact any member of our Data Protection and Privacy team who will be delighted to help you with SAR compliance.