The Information Commissioner’s Office has published detailed guidance on how organisations should deal with subject access requests (SARs) “effectively and efficiently”. Ibrahim Hasan looks at the key points.
GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. This month the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018.
Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including emails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:
- the circumstances of the request;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate.
Stopping the Clock
Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling.
Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification.
Manifestly Unfounded and Excessive
Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms.
A request may be manifestly unfounded if:
- The individual clearly has no intention to exercise their right of access; or
- The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: explicitly states, in the request itself or in other communications, that they intend to cause disruption; makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; targets a particular employee against whom they have some personal grudge; or systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption.
To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including:
- the nature of the requested information;
- the context of the request, and the relationship between the Controller and the individual;
- whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual;
- the Controller’s available resources;
- whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
- whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of:
- assessing whether or not they are processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the individual
A reasonable fee may include the costs of:
- photocopying, printing, postage and any other costs involved in transferring the information to the individual;
- equipment and supplies (e.g. discs, envelopes or USB devices)
Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a fee and how they calculate it.
Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have:
- Training for employees to enable them to recognise subject access requests;
- Specific people appointed to deal with requests;
- Policies and procedures; and
- Technical systems in place to assist with the retrieval of requested information.
Act Now's Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptions. Looking for a GDPR Qualification? Final places left on its online GDPR Practitioner Certificate