The ICO’s new subject access guidance

October 29, 2020

The Information Commissioner’s Office has published detailed guidance on how organisations should deal with subject access requests (SARs) “effectively and efficiently”. Ibrahim Hasan looks at the key points.

GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. This month the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018.

Reasonable Searches

Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including emails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:

the circumstances of the request;
any difficulties involved in finding the information; and
the fundamental nature of the right of access.

Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate.

Stopping the Clock

Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling.

Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification.

Manifestly Unfounded and Excessive

Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms.

A request may be manifestly unfounded if:

The individual clearly has no intention to exercise their right of access; or
The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: explicitly states, in the request itself or in other communications, that they intend to cause disruption; makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; targets a particular employee against whom they have some personal grudge; or systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption.

To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including:

the nature of the requested information;
the context of the request, and the relationship between the Controller and the individual;
whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual;
the Controller’s available resources;
whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).

The Fee

What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of:

assessing whether or not they are processing the information;
locating, retrieving and extracting the information;
providing a copy of the information; and
communicating the response to the individual

A reasonable fee may include the costs of:

photocopying, printing, postage and any other costs involved in transferring the information to the individual;
equipment and supplies (e.g. discs, envelopes or USB devices)

Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a fee and how they calculate it.

Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have:

Training for employees to enable them to recognise subject access requests;
Specific people appointed to deal with requests;
Policies and procedures; and 
Technical systems in place to assist with the retrieval of requested information.

Ibrahim Hasan is a solicitor and director of Act Now Training. He can be contacted This email address is being protected from spambots. You need JavaScript enabled to view it..

Act Now's Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptions. Looking for a GDPR Qualification? Final places left on its online GDPR Practitioner Certificate

The ICO’s new subject access guidance

Judge remits FOI case after finding First-Tier Tribunal was wrong to strike out proceedings, amid doubts over reliability of previous evidence from council

Information watchdog publishes guidance on transparency in health and social care

Council loses appeal over FOI request for names of those who submitted consultation responses as part of their public-facing roles

Information watchdog seeks views on accuracy of generative AI models in third call for evidence

A guide to UK data protection law with relevant provisions of the Data Protection Act 2018

Making Decisions Judicially - A Guide for Decision-Makers

Essential Law for Cemetery and Crematorium Managers

A Practical Guide to GDPR for Schools

Cornerstone on Information Law

Cornerstone on Social Housing Fraud

Information Rights

Director of Law and Governance

Governance & Contracts Manager