The Information Commissioner’s Office (ICO) has published detailed guidance on its website to assist organisations responding to data subject access requests (DSARs).
The new guidance does not substantially change the current provisions governing DSARs under the GDPR and the Data Protection Act 2018; instead it provides clarification and expands on the summary guidance provided by the ICO previously. This article highlights some of the key areas that the new guidance addresses.
1. Stopping the clock when clarifying the scope of the DSAR
The new guidance confirms that an organisation can potentially stop the clock on the calendar month time limit for responding if clarification on the scope of the DSAR is required. Organisations should only seek clarification if it is genuinely required in order to respond to the DSAR and the organisation processes a large amount of information about the individual. Organisations should not seek clarification on a blanket basis in an attempt to buy more time to deal with the request – clarification must be genuinely required to comply.
The guidance provides some examples of when clarification could be sought and also confirms that the clock only stops where an organisation seeks clarification about the information requested. The clock will not stop if the organisation seeks to clarify any other matter, such as the format of the response.
2. Defining further what a “manifestly unfounded” or “manifestly excessive” DSAR is
The ICO’s original summary guidance on DSARs states that an organisation can refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive. The new guidance explains further what these definitions mean in practice.
The guidance sets out that a DSAR may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access – an example being that they make a request and then offer to withdraw it in return for some form of benefit or financial payment from the organisation; or
- the DSAR is intended to be malicious and is being used as a way of harassing the organisation, with no real purpose other than to cause disruption – examples being that the individual explicitly states they intend to cause disruption, they make unsubstantiated accusations which are clearly prompted by malice, they target a particular employee as they have a personal grudge or they systematically send different requests to the organisation with the intention of causing disruption.
The ICO states that this is not a simple tick box exercise and organisations must consider a request in the context in which it is made. The guidance also highlights that aggressive or abusive language used in requests is not acceptable but the use of such language will not automatically make a request manifestly unfounded.
The guidance sets out that to determine whether a DSAR is manifestly excessive, an organisation will need to consider whether the DSAR is proportionate when balanced with the burden of costs involved in dealing with the request. All circumstances of the DSAR will need to be taken into account including:
- the nature of the requested information;
- the context of the DSAR and relationship between the individual and the organisation;
- whether a refusal to provide information or acknowledgment that the organisation holds it would cause substantive damage to the individual;
- the organisation’s available resources;
- whether the DSAR largely repeats previous requests and a reasonable interval has not elapsed; or
- whether it overlaps with other DSARs.
The guidance clarifies that a DSAR will not automatically be excessive if it asks for a large amount of information. Organisations will need to consider the above factors and consider whether clarification could be sought from the individual.
The guidance emphasises for each DSAR to be considered individually and again warns organisations against applying a blanket policy. Organisations need to be prepared to justify why they consider a DSAR to be manifestly unfounded or excessive if challenged by the ICO.
3. Defining further a “reasonable fee” for complying with a DSAR if it is manifestly unfounded or excessive
In the majority of cases, an organisation will not be able to charge a fee to comply with a DSAR. The summary and new detailed guidance, however, highlights that an organisation can charge a reasonable fee” for the administrative costs of complying if the DSAR is manifestly unfounded or excessive or the individual requests further copies of data following the DSAR. The new guidance explains that an organisation should take into account the following when determining a reasonable fee:
- assessing whether or not the organisation is processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the individual, including contacting them to inform them that the organisation holds the requested information (even if it is not providing it).
The new guidance states that there could be overlap between the above activities and organisation should be careful not to double charge individuals. The guidance further defines that a reasonable fee may include costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, equipment and supplies and staff time spent on complying with the DSAR.
The new detailed guidance on the ICO’s website can be found here. It is likely to be welcomed by organisations, especially those dealing with DSARs frequently whether from customers and/or employees.
If you are an organisation and need assistance dealing with a DSAR or are an individual looking to make one and need some guidance, please do get in touch.