Updated guidance on Subject Access Requests

Posted on October 28, 2020 in General
Share this article:

The Information Commissioner’s Office (ICO) recently provided updated guidance relating to how employers should deal with any Subject Access Requests (SARs) they receive.

Whilst the law surrounding SARs hasn’t changed, the clarification is being welcomed by organisations, some of whom faced an influx of SAR requests. Please see below for the points of clarification provided by the ICO:

Stopping the clock Organisations often struggle to respond to SARs either because it is not clear what is being requested, or because of the length of time and effort it will take to obtain the data requested. The ICO have attempted to alleviate this pressure by clarifying that there is the ability to stop the clock in certain circumstances whilst the data controller is waiting for clarification from the requester. This means that organisations can “stop the clock” in terms of the deadline for complying with a request, while clarification is sought in respect of the request.

Excessive requests A data controller can refuse to comply with a request if it is deemed “manifestly excessive”. However, it is up to the recipient of the request to decide whether to rely upon the exemption or not. If the data controller gets it wrong, and the requester complains to the ICO or submits a claim for compensation, this could be costly for the data controller. There has been a lot of confusion as to what constitutes a manifestly excessive request. The ICO has helpfully confirmed that when deciding if a request is manifestly excessive, an organisation must firstly decide whether it is obviously unreasonable, and whether the costs of dealing with the request are proportionate. Areas to take into account include the nature and context of the request, whether a refusal would cause substantive damage to the individual, and whether the request largely repeats previous requests. Just because an individual requests a large amount of information, does not mean that it will be deemed as being excessive. However, data controllers do now have further guidance upon which to make their decision.

Charging fees Dealing with SARs often comes at a cost. SARs can be complex to respond to, and this can put an extra strain on organisations who must deploy staff members to locate the information requested. The updated guidance allows for a reasonable fee to be charged for the administrative costs in dealing with requests, providing the cost of the following factors are taken into account:

– Assessing whether or not you are processing the information; – Locating, retrieving and extracting the information; – Providing a copy of the information; and – Communicating the response to the individual.

A reasonable fee can consist of the staff time in dealing with the request along with the costs of actually transferring the information and any equipment needed.