The ICO has published new guidance on how organisations should handle data subject access requests (DSARs), aiming to simplify and clarify the process.
The publication of the guidance follows the ICO’s December 2019 consultation. The ICO has said it also plans to publish a more focused version of the guidance for small businesses.
Responding to DSARs has become an increasingly costly and cumbersome requirement for organisations. And while the guidance does not go as far as some respondents to the consultation hoped to make things easier for data controllers, it does include welcome changes. The key developments are the right to ‘stop the clock’ when seeking clarifications, additional guidance on identifying ‘manifestly excessive’ or ‘manifestly unfounded’ requests, and guidance on fees for dealing with excessive or unfounded requests
‘Stopping the clock’ for clarifications
The guidance gives organisations the right to ‘stop the clock’ on the response deadline in some situations. If an organisation holds a large amount of information and it is not clear what information an individual is requesting, or where it is genuinely unclear whether an individual is making a DSAR, the organisation can seek clarification. The guidance says the deadline for responding extends for the same amount of time as the requester takes to provide the clarification.
This helps organisations avoid the double jeopardy of having an approaching deadline but not enough information to provide a meaningful, focused reply. However, if an individual responds and either repeats their original request or refuses to provide any additional information, an organisation still has an obligation to act diligently, and should make reasonable searches based on the information provided, to reply. But if an individual does not reply at all an organisation can ‘close’ the DSAR without replying further after a reasonable period of time.
Rejecting a ‘manifestly excessive’ or ‘manifestly unfounded’ request
Organisations have always been able to reject ‘manifestly’ excessive or unfounded DSARs. The new guidance gives more direction on when a DSAR falls into those categories.
In both cases the starting point is that an organisation must consider a request on its own merits, and avoid a blanket approach.
The guidance gives examples of manifestly unfounded requests, including those which show no intention of exercising the right (e.g. requesting payment to withdraw a request), those which are malicious in their intent or harassing (e.g. making unsubstantiated allegations, targeting an employee, or bombarding different parts of an organisation with requests to cause disruption).
To decide if a request is manifestly excessive an organisation needs to decide whether it is clearly or obviously unreasonable. It should base that assessment on whether the DSAR is proportionate when balanced with the burden or costs involved. This assessment should take into account:
- the nature of requested information;
- the context of the request, and relationship between organisation and requester;
- if refusing to provide the information (or acknowledge holding it) may cause substantive damage to the requester;
- an organisation’s available resources;
- whether the request largely repeats previous requests without a reasonable interval having passed; and
- whether the request overlaps with others.
The guidance points out that a DSAR is not necessarily excessive just because a requester asks for a large amount of information, and that an organisation should consider asking the requester for more information to help it locate relevant information, and ways of making reasonable searches for information, if it considers a request excessive.
The guidance is clear that organisations should not have a blanket policy for categorising DSARs as manifestly excessive, and should have strong justifications for making that decision, that it can provide to the requester and the ICO.
Charging to respond to excessive, unfounded or repeat requests?
The guidance says that instead of refusing to reply to a manifestly excessive or unfounded request, an organisation can charge a reasonable fee for replying. Those costs can include:
- assessing whether the organisation is processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information;
- communicating the response, including contacting the individual to inform them that the requested information is held (even if it will not be provided);
- photocopying, printing, postage, and other costs in transferring information; and
- staff time.
There is no regulatory guidance on the limits to ‘reasonable’ fees, but organisations should ensure they are proportionate and consistent.
Importantly, if an organisation elects to charge a fee, it does not have to reply to the DSAR until it has received the fee.
Other useful tips from the guidance
The guidance includes other useful points for organisations handling DSARs:
- Individuals can make DSARs by social media, if your organisation has a social media presence. It is important that social media teams are trained to recognise DSARs, especially if they regularly interact with customers;
- Organisations do not have to take proactive steps to discover a DSAR – for example, if a requester requires an organisation to sign up to a service or pay a fee to access a DSAR, that organisation has not ‘received’ the SAR and does not have to respond;
- Individuals should ordinarily be treated as being of sufficient age and maturity to exercise their right of access if they are aged 12 years or over;
- Examples of factors that may add to the complexity of a DSAR and allow an organisation further time to respond to it include the need to apply exemptions to large volumes of sensitive information, needing to obtain specialist legal advice, needing to clarify issues with disclosure of information relating to children, and (for public authorities only) searching large volumes of unstructured manual records;
- A DSAR which is made as part of a bulk request has the same legal status as an individual DSAR.
Although the guidance is not a golden bullet for the increasing burden for organisations of replying to DSARs, it includes helpful changes and clarifications that should make things simpler and (in some cases) less costly. The key for organisations in taking advantage of the updated guidance will be identifying and applying a consistent approach to DSARs, whilst always looking at the context of each DSAR individually.