On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance).
In a previous post available here, we covered what DSARs are and the principles areas of focus of the draft guidance.
So, what has changed? Overall, the Guidance provides more in-depth advice and further examples to help organisations understand how they can meet Article 15 of the General Data Protection Regulation (GDPR) requirements in handling DSARs.
There are, however, three particular areas of note, where the ICO provided further explanation.
1. Stop the clock for clarification
During the consultation process, the ICO received feedback that when an organisation seeks clarification from the data subject regarding the scope of their DSAR, by the time the data subject replies, there is insufficient time left to adequately respond given the one month deadline. In response to this practical issue faced by organisations, the ICO explained that organisations can stop the clock to seek clarification from the data subject. The Guidance also mentions that organisations should only seek clarification where (a) it is genuinely required and (b) the organisation processes a large amount of information about the data subject. Whilst data subjects are not obliged to respond and clarify their original request, the ICO reminded organisations that they are not expected to “leave no stone unturned”. In such cases, organisations “may choose to perform a reasonable search instead” and are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information”.
2. Manifestly unfounded or manifestly excessive requests
A DSAR can be manifestly unfounded if (a) the data subject clearly does not intend to exercise their right of access, for example if they offer to withdraw their DSAR “in return for some form of benefit from the organisation” or (b) the request has a malicious intent. Organisations must, however, remember this is not a checklist which will automatically prove that a DSAR is manifestly unfounded, and each request must be considered on its own facts.
The ICO also clarified that a manifestly excessive DSAR will be “clearly and obviously unreasonable”. Organisations will need to base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request and take into account all the circumstances of the request, including:
- The nature of the requested information;
- The context of the request, and the relationship between the organisation and the individual;
- Whether a refusal to provide the information or even acknowledge if the organisation holds it may cause substantive damage to the individual;
- The organisation’s available resources;
- Whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
- Whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
A DSAR will not be manifestly excessive just because the individual requests a large amount of information, so this is perhaps a balancing exercise that may have organisations scratching their heads.
If a DSAR is manifestly unfounded or manifestly excessive, an organisation can refuse to comply with the request. However, the data subject must be informed of this together with the reasons why, their right to lodge a complaint to the ICO or other supervisory authority and their ability to seek to right enforce the through the courts. Bearing in mind that refusals to respond to requests may be scrutinized by the ICO, it is good practice for organisations to keep a record of why a DSAR was denied.
3. Fees for manifestly excessive, manifestly unfounded or repeat requests
The Guidance states that as an alternative to refusing to comply with a DSAR, organisations can charge a reasonable fee to cover administrative costs where the DSAR is manifestly excessive, manifestly unfounded or is a request for further copies of data following a DSAR. When determining a reasonable fee organisations may take into account costs of (a) photocopying, printing, postage and any other costs involved in transferring the information to the data subject (e.g., costs of making the information available on an online platform), (b) equipment and supplies (e.g., USBs, envelopes) and (c) staff time, which should be charged at a “reasonable hourly rate”.
Any such fees should be charged in a “reasonable, proportionate and consistent manner” with an unbiased criteria set for charging fees, which should be made available on request.
The right of access is a fundamental right for individuals. Whilst there’s no doubt that they can often be seen as a considerable administrative, and even an expensive, burden on organisations, the proper handling of DSARs does help to evoke trust and confidence in how and why organisations use individuals’ personal data. The ICO’s Guidance aims to help organisations “get this right” and together with their plans to release a suite of further DSAR-related resources, this should be seen as welcome progress from the regulator. Please check back in for further updates.