ICO issues new detailed guidance on Data Subject Access Requests

Click here for the guidance.

In December 2019 the ICO issued a consultation on DSARs, requesting feedback from organisations from various sectors and of a range of sizes. The ICO recognised that extra clarity was needed in certain areas that respondents had identified, with a number of responses requesting a greater number of examples from the ICO in these areas.

As a result, the ICO has provided clarity on three key areas:

Clarifying requests – the ICO has confirmed that in certain circumstances the time limit for providing a response to DSARs can be paused while waiting for clarification from a requester. This now clarifies that if an organisation processes a large amount of information about an individual, you can ask a requester to specify the information or processing activities that their DSAR relates to before you respond. The time limit for compliance is paused until you receive clarification from the requester. However, this can’t be a blanket policy and you must only rely on this if you actually need to do so in order to respond to the DSAR. If you process a large volume of information about an individual (which may depend on the size and resources available to an organisation), but you can still find and provide the requested information quickly, it is unlikely to be reasonable to seek clarification and pause the time limit for compliance.

Manifestly excessive requests – additional guidance has been provided in relation to what constitutes an excessive request. The definition of such a request has also been broadened. Factors to consider include:

• An organisation’s available resources; and
• Whether it overlaps with other requests (unless those requests are for entirely different information).

Where the request may be excessive you nevertheless should consider the damage that may be caused to the individual by refusing the request or not acknowledging the information is held as a factor when deciding how to deal with the request.

Charging fees for complying with certain types of DSAR – the factors that organisations can take into account when seeking to charge requesters a fee for administrative time spent on excessive, unfounded or repeat requests have been updated. A reasonable fee can include the costs of staff time, which should be based on the estimated time it will take staff to comply with a DSAR. The Data Protection Act 2018 permits regulations to be made to specify limits on the fees that a controller may charge when dealing with manifestly unfounded or excessive DSARs (although no such regulations are yet in place).

The ICO has made a number of changes and additions to the previous version of its guidance which it hopes will assist organisations in complying with DSARs and their wider data protection obligations generally. They are also planning further guidance including a guide to DSARs for small businesses which simplifies the detailed guidance and addresses key issues.

Our services

Ward Hadaway regularly advises organisations in a variety of sectors on complying with DSARs and on data protection matters generally and our team of data protection experts are experienced in dealing with these types of issues. For more details on how we can help you, or for guidance in relation to any of the issues raised, please get in touch.