The ICO has published detailed guidance on dealing with a data subject access request (“DSAR”), following a consultation in December 2019 which highlighted the need for clarification on certain areas of the law. In response to this, the ICO has provided additional content and examples including responses to 3 key areas that were identified as part of the consultation process:
- Whether the time for complying with a request “stops” whilst an organisation seeks clarification from the requester? Ordinarily an organisation has one month to respond to a DSAR, unless it has extended time. The guidance recognises that sometimes seeking clarification on requests means organisations do not have enough time to respond. In view of this, the ICO has confirmed that organisations can seek clarification on requests if it is genuinely required in order to respond to the DSAR and they are processing a large amount of information about the individual. In that situation, the time limit for responding to the request is paused until the organisation receives clarification. The guidance makes it clear however that this should not be done on a blanket basis.
- When is a request manifestly unfounded or excessive so as to justify refusing to comply? In terms of considering whether a request is manifestly unfounded, the guidance indicates that this may be the case where an individual clearly has no intention of exercising their right of access e.g. they offer to withdraw it in return for some form of benefit from the organisation, or where the request is malicious in intent. As regards manifestly excessive requests, this involves a consideration of whether a request is clearly or obviously unreasonable. This should be based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.
The guidance sets out some general considerations for organisations to take into account when assessing if a request is manifestly unfounded or excessive:
- consider requests on an individual basis – it is important not to have a blanket policy;
- do not presume that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request;
- there must be an obvious or clear quality to unfoundedness/excessiveness; and
- justify & ideally document why you consider a request to be manifestly unfounded or excessive.
- What can organisations include when charging a fee for responding to excessive, unfounded or repeat DSARs? The guidance makes clear that organisations can take into account the administrative costs of complying with a request which may include copying, printing, postage and other expenses associated with transferring the data to the individual for example USB sticks, envelopes etc as well as staff time.
The guidance provides much needed clarity on some key areas of the data protection legislation and is well worth a read (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/). As the ICO itself recognises, people are waking up to the power of their personal data and therefore it is more important than ever that organisations are familiar with their obligations when it comes to DSARs.