ICO changes guidance on timescales for complying with subject access requests.

The Information Commissioner's Office (ICO) has amended its General Data Protection Regulation: Right of access guidance. Specifically relating to the timescales for compliance with data subject access requests (DSARs) where the data controller has sought clarification of the request.

What Are the Fundamental Changes?

The previous guidance (published in April 2018) stated that the start of the one month time period for compliance with the DSAR would be paused until the data controller was in receipt of any requested information/clarification. This is no longer the case.

The updated guidance now states that data controllers can request further information/clarification but that the timescale for responding to the DSAR is not affected by this. The data controller must still respond to the DSAR within one month, unless it intends to rely on the extended timescale which can apply where multiple or complex DSAR's have been received. This gives the data controller a further two months to respond to the DSAR. If a data controller wishes to rely on the multiple or complex extension it must inform the data subject within month of receiving the DSAR and explain why the extension is necessary.

The revised guidance continues to state that where the data controller has requested confirmation of identity from the data subject, the timescale for responding to the DSAR will not start until this confirmation is received.

What Are the Impact of These Changes?

These timescale adjustments may pose some challenges for those responding to DSARs where the precise scope of the information sought by the DSAR is unclear.

Requests for clarification will often need to be made where the DSAR is cast in broad terms and the data controller requires details of particular custodians, relevant timeframes, and keywords for the purposes of data retrieval and electronic searches. If the data subject takes time providing the requested detail then considerably reduces the remaining time in which the data controller has to collate a response and comply with the DSAR.

Can Employers Raise Concerns?

The revised short-form guidance is consistent with what is set out in the ICO’s more detailed Right of Access guidance, issued in draft in December 2019. This is currently the subject of a consultation that closes on 12 February 2020. Therefore, whilst employers with concerns about the modified position that the ICO is now taking on timescales can still submit their views for consideration as part of that consultation.

It seems unlikely (although theoretically possible) that the ICO will change its stance, not only because its position is now duplicated in both forms of the guidance, but also because it seems to more accurately to reflect the intention of Article 12 of the General Data Protection Regulation (GDPR) 2016/679.

What Actions Should Employers Take?

Going forward, employers should:

  • Ensure that you provide the requested information within one month of receipt. Unless there has been a request for confirmation of identity, in which case the time limit will start to run from the receipt of such confirmation.
  • If you intend to rely on the timescale extension which can apply to complex or multiple DSARs, tell the data subject within one month why they intend to do.
  • Request clarification, particularly if a DSAR is made for a large amount of data. Any clarification given by the requester may significantly reduce the amount of work required to comply with the request.
  • Ensure you have systems in place to record, track and monitor DSARs received from onset through to completions in order to avoid non-compliance, which could lead to ICO enforcement action.
  • You may find it useful to put in place a standard document to enable them obtain key information required to speed up response time. However, the GPDR does not require data subjects to submit an access request form and there is no obligation on the requester to use this form. In fact, and in a change from the position under the 1998 DPA, a DSAR does not even have to be in writing.

We anticipate that more data controllers will now claim the two month extension, to ensure that they have sufficient time to respond should clarification not be given, or if the requester responds by insisting that they want 'all' of their personal data. In this regard, the new guidance is helpful because it suggests that the ICO are taking a broad view of what counts as a 'complex' request, making it easier for data controllers to claim an extension.