The ICO recently published its much anticipated “Right of Access Guidance” on subject access requests (SARs). The guidance is the result of an earlier ICO consultation and is intended to assist organisations dealing with SARs – it will be of particular interest to data protection officers and others with specific data protection responsibilities.
What is a SAR and why is it important?
A data subject’s right of access is a fundamental right to obtain a copy of their personal data from a data controller, as well as certain additional information, in order to understand how and why their data is being used. As individuals become increasingly aware of their data-related rights, good SAR compliance is key to compliance and crucial in building trust between organisations and individuals.
What does the guidance say?
The guidance is wide-ranging and detailed but has provided particular clarity on the following key areas.
1. Stopping the clock for clarification
The GDPR sets out tight timescales for organisations to respond to SARs. Generally, organisations must comply with a SAR without undue delay and, at the latest, within one month of receipt of the request for information. The ICO has advised that where a SRA is complex, for example because an organisation processes a large amount of information about an individual and seeks clarification about the information requested, the time limit for responding can be paused until the organisation receives clarification of the request.
2. What is considered a manifestly unfounded or manifestly excessive request
Where a SAR is manifestly unfounded or excessive, an organisation can either charge a “reasonable fee” or refuse to comply with the SAR. The ICO has provided additional guidance on determining what is manifestly unfounded or manifestly excessive.
The ICO has explained that a request may be deemed “manifestly unfounded” where:
- an individual clearly has no intention to exercise their right of access, e.g. where an individual makes a SAR, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the SAR is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption e.g. it makes unsubstantiated, malicious accusations against the organisation or specific employees or targets a particular employee against whom they have some personal grudge.
However, if an individual genuinely wants to exercise their rights, it is unlikely that the request will be manifestly unfounded.
In order to determine whether a SAR is “manifestly excessive”, the organisation must consider whether it is clearly or obviously unreasonable. This will involve assessing whether the SAR is proportionate when balanced with the burden or costs involved in dealing with the SAR. All the circumstances of the SAR will need to be considered. SARs will not be “manifestly excessive” just because large volumes of information have been requested.
3. What can be included when charging a fee for excessive, unfounded or repeat requests?
Generally, organisations may not charge a fee to comply with a SAR. However, where a SAR is manifestly unfounded or excessive or an individual requests further copies of their data following a request, the organisation may charge a “reasonable fee”. The ICO has confirmed that when determining a reasonable fee, an organisation can take into account the administrative costs of:
- assessing whether or not an organisation is processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response, including contacting the individual to inform them that the organisation holds the requested information (even if it is not providing the information).
The fee may also include the costs of photocopying, printing, postage, equipment and supplies (such as discs, envelopes or USB devices) and staff time. Costs associated with staff time should be based on the estimated time it will take staff to comply with the request, charged at a reasonable hourly rate. It is the organisation’s responsibility to ensure that it charges a reasonable rate and it is good practice for organisations to establish an unbiased set of criteria for charging fees which are clear, concise and accessible and make this available on request.
What does this mean for businesses?
The guidance will be welcomed by many organisations, especially those receiving a high volume of SARs which can often be time-consuming and resource-intensive. In addition to the three areas outlined above, the guidance provides lots of helpful material on recognising and responding to SARs, as well as covering exemptions and requests which relate to certain categories of data such as credit files and health data. Accordingly, organisations would be well advised to familiarise themselves with the guidance.
If you have any questions about SARs or other data protection related matters, please contact a member of our specialist GDPR & Cyber Security team who will be able to assist.