Subject access requests: new guidance from ICO

Finalised guidance on subject access requests (SARs) has been published by the Information Commissioner (ICO).

The right to subject access, outlined in the General Data Protection Regulation (GDPR), allows individuals to find out what personal data is held about them and to obtain a copy of it.

This new and finalised guidance follows a consultation in 2018 which highlighted the need for additional content and examples and more support and clarification on various aspects of SARs. To that end, the final guidance provides greater clarity on three key issues:

  1. Stopping the clock for clarification – the ICO’s position now is that, in certain circumstances, the clock can be stopped on the 30-day time limit for compliance whilst organisations are waiting for the requester to clarify their request. See examples in the guidance.
  2. What is a manifestly excessive request – to combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance to help and broadened its definition. The guidance states that this is a balancing act and the employer must determine whether the SAR is 'clearly or obviously unreasonable'. This involves assessing whether the response required is 'proportionate when balanced with the burden or costs involved'. Employers should consider all the circumstances, including (but not limited to): the nature of the information, the context of the request, whether not complying with the SAR could cause substantive damage to the employee, the employer's available resources, etc. See further here.
  3. What can be included when charging a fee for excessive, unfounded or repeat requests – the ICO has taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive SARs, or responding to follow-up SARs, and has updated what organisations can take into account when charging an administration fee. It can include: the cost of staff time, photocopying, printing, postage, envelopes, USB sticks, etc. See further here.

The ICO is also planning a suite of resources, including a simplified SAR guide for small businesses.