How much time do you have to respond to a subject access request? Perhaps less than you thought!

Yesterday, the ICO updated its guidance on subject access request (SAR) timescales and organisations now have slightly less time than they did previously to respond.

Why does the timescale matter?

Under the data protection laws, organisations must respond to SARs without delay, and within one month. Therefore, organisations need to understand how they are to calculate this one-month timescale.

The ICO has taken action against organisations which have not complied with SARs, and just last week served an enforcement notice against Hudson Bay Finance Limited for failure to respond to a SAR (under the previous 1998 Act). 

What has changed?

Short answer: The start date for calculating your one-month timescale.

Longer answer: Previously, the ICO’s guidance indicated that the start date should be calculated from the day immediately after you receive the request. This has now changed and the start date is calculated from the day of actual receipt of the request. So, in some instances organisations now have one less day to respond to a SAR.

What does this change mean for your organisation?

You should make sure your internal procedures and policies are up-to-date. If they include guidance on the timescales for responding to SARs, you should make sure this is amended.

And make sure to communicate this to your staff who deal with SARs (and make them aware of any changes to your procedures and policies).

Does this updated guidance apply retrospectively?

The ICO’s guidance is not clear on this point. Taking a risk-averse approach, organisations may wish to reassess the timescales for the SARs they are currently dealing with.

So… how do organisations calculate timescales?

The general rule is that organisations must respond to SARs without delay and within one month of receipt of the request.

Calculating the start date

As per the change to the ICO’s guidance, the general rule is that the start date is the day you receive the request (whether that day is a working day or not). So, if you receive a request on Saturday 17 August 2019 then the start date is 17 August, even though this is a weekend day. There are some exceptions to this start date:

  • ID: If an organisation needs information to identify the individual, the period for responding to the request begins when the requested ID is received (if later than the date of receipt).
  • Further information: Where an organisation asks for more information to clarify a request, the period for responding to the request begins when the organisation receives the additional information (if later than the date of receipt).
  • Fee: If an organisation is entitled to request a reasonable fee to respond to a SAR, the timescale begins from the date of receipt of the request fee (if later than the date of receipt). 

Please see the ICO’s guidance or contact us for further information as to when ID and further information can be asked for, and when fees can be charged.

Remember: organisations must not delay in requesting ID, additional information and/or a fee. These are not intended as methods of extending the general rule!

Calculating the end date

This is the corresponding calendar date to the start date in the next month. So, if your start date is 17 August 2019, then the end date is 17 September 2019.

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. Therefore, if you receive the request on 30 January, and as there is no 30 February, your end date is 28 February (unless of course it’s a leap year!).

Who knew that calculating a month could be so complicated!

Extending the one month timescale 

If the request is complex, or there are a number of requests, organisations can extend the period for responding by a further two months (three months in total). If the period is to be extended, the individual must be told within one month of receipt of the request and the reason(s) for the delay should be explained. Please get in touch with us if you need assistance to identify whether the SAR you have received is complex.

Where can organisations find the ICO’s guidance?

The ICO’s guidance on the right of access and SARs is available here

For further information on dealing with SARs, please contact our Data Protection & Cyber Security Team. We have extensive experience in assisting clients to deal with SARs, including advising on timescales, identifying what is disclosable under a SAR and how to apply exemptions. We can also provide workshops and training to your staff so that they are equipped to deal with SARs, and prepare written procedures and policies.

Latest updates from @MacRoberts