The Information Commissioners Office (ICO) has issued new guidance on Data Subject Access Requests. The new guidance intends to offer greater clarity on three key points raised in the consultation stage that took place in December 2019.
What is a Data Subject Access Request?
Individuals, under the General Data Protection Regulation (GDPR), have the right to ask an organisation whether it is using or storing their personal information. If so, individuals also have a right to obtain copies of their personal data. This is known as making a Data Subject Access Request (DSAR).
What does the new guidance say?
- Stopping the clock for clarification
The ICO has confirmed that where an organisation has received a DSAR and processes a large amount of information about an individual, they may ask the individual to specify the information or processing activities their request relates to before responding to the request.
During this period, the time limit for responding to the request is paused until they receive clarification. The ICO refers to this as "stopping the clock".
The ICO does say, however, that an organisation may not seek clarification on a blanket basis and should only do so if:
- It is genuinely required in order to respond to a DSAR
- It is processing a large amount of information about the individual
- What is a manifestly excessive request?
Organisations can refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive.
The ICO has widened the circumstances in what might be considered manifestly excessive. Key points to consider include:
- An organisation’s available resources
- Whether a refusal to provide the information or even acknowledge if an organisation holds it may cause substantive damage to the individual
- Whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive)
- What can be included when charging a fee for excessive, unfounded or repeat requests?
The ICO has also provided further clarity in respect of charging a fee for excessive, unfounded or repeat requests. The new guidance now includes staff time in the list examples of "reasonable fees", alongside: equipment, and supplies, photocopying, printing, postage and any other costs of transferring the information to the individual.
In respect of staff time, the ICO states that an organisation should base the costs on the estimated time it will take staff to comply with the specific request and should be charged at a reasonable hourly rate. Staff costs should be reflected in a “reasonable, proportionate and consistent manner” and good practice would involve an organisation establishing a set of criteria which sets out:
- The circumstances in which it charges a fee
- Its standard charges (including a costs breakdown where possible)
- How it calculates the fee – explaining the costs it takes into account including staffing costs
The ICO also provides that an organisation’s criteria should not only be “clear, concise and accessible” but “available on request”. It does not, however, need to be published online.