ICO consults on new draft guidance on Subject Access Requests under GDPR

The Information Commissioner has launched a consultation on new draft guidance for organisations on how to handle Subject Access Requests (SARs) under the GDPR.

The watchdog said: “It builds on our existing guidance on the legal obligations organisations must meet when people ask for copies of their information, and also provides advice on best practice in dealing with requests.”

It added that it wanted to hear from organisations about whether the draft guidance worked for them and if they had any practical examples that could be included that reflect any difficulties they are facing.

The draft guidance, which can be viewed here, covers:

  • What is the right of access?
  • How should we prepare?
  • How do we recognise a subject access request (SAR)?
  • What should we consider when responding to a request?
  • How do we find and retrieve the relevant information?
  • How should we supply information to the requester?
  • When can we refuse to comply with a request?
  • What should we do if the request involves information about other individuals?
  • What other exemptions are there?
  • Are there any special cases?
  • Health data
  • Education data
  • Social work data
  • Can the right of access be enforced?

The consultation runs for 10 weeks until 12 February 2020.

Chris Hogan, Group Manager for Regulatory Assurance (Policy) at the ICO, said: “The right of access is one of the most fundamental elements of the GDPR and it is important that controllers get it right. We are keen to provide detailed and informative guidance that explains this right.

“Before we publish this guidance in full, we want to hear from controllers and individuals to find out whether it works for them, and in particular whether there are issues that we have not addressed.”