On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also outlined some of the practical steps for responding to DSARs.

The new Guidance further recognises the importance of some of the issues organisations are facing when dealing with DSARs, while the consultation process seeks to refine this further by taking into account organisations’ experiences in dealing with DSARs made since May 2018, when the General Data Protection Regulation (GDPR) came into force.

Below, we take a look at some of the key, new provisions of the updated Guidance.

What are DSARs?

The right of access is one of the data subjects’ rights contained in the GDPR and the Data Protection Act 2018. Under this right, data subjects have the right to obtain the following from a data controller:

  • a confirmation that the data controller is processing their personal data;
  • a copy of the personal data; and
  • other supplementary information provided for in the privacy notice.

Given the increase in the number of DSARs across all sectors, the ICO’s attention is turning to helping organisations respond. There is also a full range of resources available on the ICO website.

What does the Guidance cover?

The draft Guidance follows on from the ICO’s initial guidance on the right of access published in April 2018 and provides greater detail on the rights that individuals have to access their personal data and the obligations on data controllers.

The updated Guidance particularly focuses on:

  1. Recognising DSARs: the Guidance covers recognition of DSARs made using social media sites where the organisation has a presence and requests are made on behalf of the data subject by a third party. The ICO clarifies that there are no specific formalities for a request to be valid.
  2. Exemptions: the Guidance provides greater clarity on what organisations should consider when assessing if an exemption is applicable. Accordingly, there is no obligation to comply if a request is manifestly unfounded. Here, while the revised Guidance is primarily in line with the previous commentary from the ICO, it also looks at the most commonly used exemptions.
  3. Special rules involving certain categories of personal data: the Guidance includes special rules and provisions applicable to DSARs covering unstructured manual records, credit files and health, education and social work data. Health, education and social work data also have their own additional sections in the Guidance.
  4. How to deal with requests involving the personal data of others: the Guidance sets out a more detailed three-step approach to help organisations decide whether to disclose information relating to a third party. The three-step approach asks the following questions: (i) Does the request require the disclosure of information that identifies another individual? (ii) Has the other individual consented? (iii) Is it reasonable to disclose without consent?


This latest draft of the Guidance provides further detail on data subject rights and the obligations on data controllers, particularly in the health and education sectors. This detail will be helpful to those organisations which are still grappling with responding to an increased number of DSARs.

The Guidance is not finalised. The ICO has opened the Guidance for public consultation and welcomes comments on the draft for 10 weeks until 12 February 2020. The consultation will further inform the ICO on the specific areas where organisations are seeking clarity. For this consultation, the ICO will publish all responses received from organisations. After the consultation process, the Guidance will be finalised. If you are interested in responding, please use this link and do not forget to keep an eye on this blog for further updates!