New guidance on Subject Access Requests

On 21 October 2020 the Information Commissioner published the new Right of Access guidance in order to simply data subject access requests (“DSARs”) made under the GDPR (Article 15).

Whilst recognising the fundamental right for people to be able find out what is happening to their information, it was found that more and more people were exercising this right and it was therefore necessary to provide further guidance for all concerned. In essence, the guidance covers the following:

Stopping the clock for clarification

  • The law states that an access request should be responded to in full within at least one month of receipt of the request;
  • However, it has now been stated that where an organisation seeks clarification on a request made, the time period for responding will be stopped until the clarification has been received.
  • The ICO expressly warns against doing so as a tactic for delaying a response

Manifestly excessive and/or unfounded requests

  • A request will be “excessive” if it is clearly or obviously unreasonable. This will be based on whether the request is proportionate when balanced with the burden or costs involved in handling the request, which is a broader definition than relied on by the ICO in the past;
  • A request will be considered to be “unfounded” if it is considered to be malicious in intent and is being used to harass and disrupt an organisation;

Charging a fee

  • In responding to manifestly unfounded or excessive requests, or responding to follow-up DSARs, an organisation may charge a fee for responding which can factor photocopying, printing, postage, and other costs in transferring the information and staff time in responding;
  • No limits set on the fees, but organisations should ensure they are proportionate and consistent;

Other relevant changes

  • DSARs can be made through social media where an organisation has a presence there;
  • Organisations are encouraged to take proactive steps in ensuring that its staff are of its obligations and how to respond to DSARs;

To find out more information about the new Right of Access guidance, please visit the ICO website here.