ICO updates data subject access request guidance

The ICO has published updated guidance on data subject access requests (“DSARs”), following a consultation on draft guidance last year. 

The final version of the guidance removes various inconsistencies identified in the draft guidance and tries to deal with some other concerns raised during the consultation. Mike Hibberd was part of the Employment Lawyers Association working party which responded to the consultation.

The guidance is detailed and organisations should refer to it when dealing with any DSAR. It seeks to clarify three key issues:

1. Stopping the clock for clarification

Organisations must respond to a data subject access request without undue delay and usually within one month of receipt. Where the request is complex there is a further two-month extension which can be used.

DSARs are often complicated, especially in the employment context. When individuals ask for “all their data,” controllers sometimes struggle to understand where their data is likely to be located. Controllers may therefore need to clarify the request with the individual.

The draft guidance stated that the time limit for responding did not stop while a controller clarified a request. This would have been problematic – if individuals stalled when clarifying their request, controllers would have very little time to process the request once clarified.

The updated guidance confirms that the clock can stop while the request is clarified. However, controllers should not seek clarification on a blanket basis. They should only seek clarification if:

• It is genuinely required in order to respond to a DSAR and
• The controller processes a large amount of information about the individual

The ICO confirms that whether a controller is considered to hold a large amount of information about an individual will depend, to an extent, on the organisation’s size and available resources.

The guidance also confirms that seeking to clarify a request cannot be used as a way of forcing an individual to narrow their request. If the individual repeats their request for all their data, the controller will have to conduct a reasonable search for the information.

2. “Manifestly excessive” requests

The GDPR permits controllers to refuse to comply with a “manifestly unfounded or excessive” request. The guidance lists factors to determine if a request falls into this category.

Controllers need to consider whether the request is clearly or obviously unreasonable. They should assess whether the request is proportionate, when balanced against the burden or costs involved in dealing with it. All the circumstances should be considered, including:

• The nature of the requested information
• The context of the request, and the relationship between the controller and the individual
• Whether refusing to provide the information or even acknowledge if the controller holds it may cause substantive damage to the individual
• Available resources
• Whether the request largely repeats previous requests and a reasonable interval has not elapsed or
• Whether it overlaps with other requests (although if it concerns a completely separate set of information it is unlikely to be excessive). 

A request is not necessarily excessive because it requests a large amount of information. Controllers should consider asking individuals for more information to help locate the requested information so they can make reasonable searches for it. 

3. Charging a fee for excessive, unfounded or repeat requests

In most cases, controllers cannot charge a fee for responding to a DSAR. However, the guidance explains controllers can charge a “reasonable fee” for the administrative costs of complying with a request if:

• It is manifestly unfounded or excessive (see above) or
• An individual requests further copies of their data following a request

When determining a reasonable fee, the controller can take into account the administrative costs of: 

• Assessing whether they are processing the information
• Locating, retrieving and extracting the information
• Providing a copy of the information and
• Communicating the response to the individual

The ICO recognises there may be a substantial overlap in these points and confirms controllers must not ‘double-charge’ the individual. 

A reasonable fee may include the costs of:

• Photocopying, printing, postage and any other costs involved in transferring the information to the individual (e.g. the costs of making the information available remotely on an online platform)
• Equipment and supplies (e.g. discs, envelopes or USB devices) and
• Staff time

Staff time costs should be based on the estimated time it will take them to comply with the specific request, charged at a reasonable hourly rate. While the Data Protection Act 2018 allows the Secretary of State to specify limits on controllers’ fees to deal with a manifestly unfounded or excessive request, there are currently no regulations in place. Therefore, controllers are responsible for ensuring they charge a reasonable rate.

Fees should be charged in a reasonable, proportionate and consistent manner. It is good practice to establish an unbiased set of criteria for charging fees. The criteria should be clear, concise and accessible. When requesting a fee, controllers should explain the costs to the individual. 

Controllers must be able to justify the costs charged if an individual complains to the ICO. If charging a fee, the controller does not need to comply with the request until the fee is received. The fee should be requested promptly.

However, in most cases a controller cannot charge a fee - fees are the exception rather than the rule.

Comment

Organisations often find DSARs complex, lengthy and time-consuming. The guidance will help them to deal with requests but is confusing in part and still leaves some areas of ambiguity. For example, controllers are likely to be confused over when they may refuse a request because it is manifestly excessive and when they may only charge a fee.  

The ICO is also preparing a simplified DSAR guide for small businesses which will pick out the key ‘need-to-knows’ from the detailed guidance.