On 21 October 2020, the Information Commissioner’s Office (ICO) released its updated guidance on the data subject right of access under Article 15 of the EU General Data Protection Regulation.
The ICO encourages organisations to be prepared and take a proactive approach with Subject Access Requests (SARs), regardless of whether or not they receive SARs on a regular basis. This not only helps them to respond to requests effectively and in a timely manner, but also increases levels of confidence in an organisation’s ability to deal with them and increases the transparency of what they do with individuals’ data.
What preparatory steps can you take?
The ICO states that the preparatory steps an organisation should take, will depend on a number of factors, including (1) the type of personal data they processes, (2) the number of requests they receive, and (3) their size and resources. Depending on these factors, examples of some preparatory steps include; (1) offer training to staff members to help recognise a SAR and provide further training to those who will be dealing with them, (2) produce a standard checklist to ensure a consistent approach to all SARs is adopted, and (3) maintain a log of all SARs received and update it to monitor progress. The log may include copies of information supplied in response to a specific SAR, together with copies of any material withheld and why.
Can you refuse to comply with a SAR?
Yes, you can refuse to comply with a SAR in whole or in part if an exemption applies, or, if it is) “manifestly unfounded” or “manifestly excessive”.
The ICO’s update provides further clarity into what a manifestly excessive SAR might look like. The ICO state that in order for the SAR to be manifestly excessive, an organisation should consider whether “it is clearly or obviously unreasonable”. This should be based on whether the request is “proportionate when balanced with the burden or costs involved in dealing with the request”.
It is important to note that a SAR is not necessarily excessive just because the individual requests a large amount of information. Instead, a recipient of a request should take into account: (1) the nature of the requested information, (2) the context of the request, and the relationship between them and the individual, (3) whether a refusal to provide the information or even acknowledge if they hold it may cause substantive damage to the individual, (4) their available resources, (5) whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed, or (6) whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
A request may be manifestly unfounded if the individual demonstrates no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption. The ICO offers guidance on what factors may indicate malicious intent, which include: (1) explicitly stating that the SAR is to cause disruption, (2) SAR includes unsubstantiated accusations against the organisation or specific employees, (3) individual is targeting a particular employee against whom they have some personal grudge, or (4) individual sends frequent requests as part of a campaign with the intention of causing disruption, e.g. once a week.
Can you charge a fee to deal with the SAR?
In most cases, you cannot charge a fee to deal with a SAR.
However, the ICO has provided clarification on charging a fee where it is manifestly unfounded or excessive or where an individual requests further copies of their data following a request.
When determining a “reasonable fee”, an organisation can take into account the administrative costs of: (1) assessing whether or not they are processing the information, (2) locating, retrieving and extracting the information, (3) providing a copy of the information and (4) communicating the response to the individual, including contacting the individual to inform them that the recipient holds the requested information (even if they are not providing the information)..
The ICO state that a reasonable fee may include the costs of: photocopying, printing, postage, equipment, supplies and staff time. The ICO recommends that where an organisation is going to charge a fee, it should have an unbiased criteria for charging fees in place and make this available to the individual making the request (it is not a requirement to publish this online). If an organisation chooses to charge a fee, they do not need to comply with the request until they have received the fee.
Can you pause the 30 day time to respond if we require clarification on the SAR?
Prior to the ICO’s update, the time limit for responding to a SAR was not paused where a recipient required clarification from the individual submitting the request. However, this position has now changed. Now, in certain circumstances, an organisation may ask the requestor to specify the information their request relates to before responding to the request, known as “stopping the clock”. Once a request for clarification has been submitted, the one month deadline for responding is paused until the individual replies with their clarification.
You can only do this if clarification is genuinely required in order to respond to the SAR and if you process a large volume of information about that employee. The ICO do not define what a “large amount of information” is, however, they suggest that this will depend on a recipient’s size and resources, and their ability to locate and retrieve the requested information by conducting a “reasonable search.”
The ICO state that in cases where clarification is requested, but no response is received, you should wait for a reasonable period of time (one month) before considering the request ‘closed’.