The Information Commissioner’s Office has published detailed guidance on how organisations should deal with subject access requests (SARs) “effectively and efficiently”.
In a blog, the ICO's Acting Director of Regulatory Assurance, Anulka Clarke, said it had received more than 350 responses to its consultation on the new guidance. Although these were “generally positive”, she noted that there were calls for additional content and examples, “and it was also obvious that there was an appetite for more support and clarification on some aspects of the law that aren’t so clear-cut”.
The guidance, which can be viewed here, is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations.
Ms Clarke said the ICO was seeking to provide clarity on the three key points raised.
- Stopping the clock for clarification – “one issue which we received a lot of feedback on was that seeking clarification on requests often didn’t leave enough time to respond. As a result, our position now is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request”.
- What is a manifestly excessive request – “to combat confusion over when to class a request as manifestly excessive, we’ve provided additional guidance to help and broadened its definition”.
- What can be included when charging a fee for excessive, unfounded or repeat requests – “we’ve taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up SARs, and have updated what organisations can take into account when charging an admin fee”.
Ms Clarke said the watchdog had made many more changes and added additional content to the version that it had previously published.
She added: “We know it’s a difficult time. We hope this guidance is going to be useful for organisations across the board, especially during the COVID-19 pandemic, as it will give them more insight into how to deal with SARs and access the information they need quickly and easily.”
The ICO is planning a suite of resources – including a simplified SAR guide for small businesses which picks out the key ‘need-to-knows’ from the detailed guidance.
“The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services,” Ms Clarke said.
The guidance covers:
- What is the right of access?
- How should we prepare?
- How do we recognise a subject access request (SAR)?
- What should we consider when responding to a request?
- How do we find and retrieve the relevant information?
- How should we supply information to the requester?
- When can we refuse to comply with a request?
- What should we do if the request involves information about other individuals?
- What other exemptions are there?
- Are there any special cases?
- Health data
- Education data
- Social work data
- Can the right of access be enforced?
- Can we force an individual to make a SAR?