On 21 October 2020 the ICO published their detailed guidance on subject access requests ("SARs") following a consultation that began in December 2019 (which we'll refer to as the "new guidance").
A SAR is a request from an individual for a copy of their personal data. For employers, SARs can become a time-consuming and expensive exercise.
Whilst the new guidance does not change the underlying law it does provide some useful direction for employers, which should serve to simplify and clarify how to respond to SARs. We've summarised the key points below.
Stopping the clock
Under the GDPR, controllers are required to respond to SARs "without undue delay and in any event within one month of receipt of the request". Previously, there was no provision to extend that timeframe where the controller asked the data subject to clarify their request.
The new guidance provides that the clock can be stopped whilst organisations are waiting for the requester to clarify their request. The deadline for responding extends for the same amount of time as the requester takes to provide the clarification. This will provide some much-needed flexibility to controllers, particularly employers, who are asked to deal with an unclear or excessively broad SAR.
However, this is not a time saving provision for all SARs as the new guidance is clear that clarification should only be sought if it is genuinely required in order to respond to the SAR and if large amounts of data are processed about the requesting individual. It is unlikely, therefore, that this "stop the clock" option can be used to extend the timeline for responding to a SAR, where the requested information can be obtained and provided quickly and easily.
This change is, however, likely to be welcomed by employers who will be able to "stop the clock" when dealing with unclear or broad SARs.
Another helpful addition in the new guidance is a broadening of the definition of what constitutes a "manifestly excessive" request. According to the new guidance, controllers should base their assessment of a SAR on the proportionality of the request when considering the burden or costs involved against the rights of the requester. First and foremost, this will require organisations to consider whether a request is "clearly or obviously" unreasonable. The new guidance is clear that this will mean taking into account all the circumstances of the request, including the nature of the requested information, the relationship with the requester, the available resources, the potential impact of not providing the information, and whether the request duplicates a previous request or overlaps with other requests. The ICO asks organisations to bear in mind that a request is not necessarily excessive just because the individual requests a large amount of information.
The ICO suggests that organisations should consider the nature of the data and how often data is altered when considering whether a SAR is manifestly excessive. In doing this, each SAR needs to be considered individually such that no blanket policy is applied and organisations are warned against making presumptions based on previous requests submitted by the same individual. The ICO places weight on the word "manifestly" and advises that organisations must have strong justifications for concluding that a request is excessive. This will present a high bar in practice and each case should be decided on its own facts.
Lastly, the ICO has updated its guidance in relation to what organisations can take into account when charging an admin fee for a manifestly unfounded or excessive request. When determining a reasonable fee, the ICO sets out the activities for which controllers can charge and warns against doublecharging where these activities overlap. The new guidance notes that the administrative costs of assessing, locating, retrieving, extracting and copying the information as well as the time taken to communicate your response can be taken into account when determining a fee. It follows that a reasonable fee might consist of the direct costs of handling the data (such as copying, printing or posting) and the cost of any equipment or supplies required to respond to the SAR. It can also include staff time, which the ICO advises should be based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate.
The new guidance encourages controllers to establish an unbiased set of criteria for charging fees which explains when a fee will be charged, a breakdown of standard charges and details of how a fee is calculated. These criteria can then be made available to data subjects or the ICO as required.
Since the implementation of the GDPR, more people, particularly in their capacity as an employee, have become aware of their rights as a data subject, and organisations have been seeing an increasing numbers of SARs. This new guidance and its more flexible and comprehensive approach to SARs will be well received by employers.
We recommend employers start working on establishing their fee-charging policies, so you are well equipped to deal with any future requests. If you need guidance in putting together criteria or a policy on charging, we can assist.