Following extensive consultation that began in December 2019, the Information Commissioner’s Office (ICO) has finally published their updated guidance on the Right of Access, namely the ability for an individual to submit a Data Subject Access Request (DSAR) to a processor of their personal data.
A fundamental and absolute right under data protection legislation, the Right of Access is a powerful tool for the individual and can be an extremely costly burden for an organisation. Listening to the 350 consultation responses from organisations, the ICO has sought to clarify some of the more antagonistic aspects of the DSAR process.
Yesterday’s press release states that the ICO has made many “changes and added additional content to the version already published” but nevertheless pinpointed three distinct areas that were in desperate need for clarification.
1. Stopping the clock for clarification
Prior to the guidance update, the time limit for responding to a DSAR was not suspended whilst the organisation or processor sought clarification from the individual submitting the request. The position has now changed and, in certain circumstances, an organisation may ask the requestor to specify the information their request relates to before responding to the request. Once clarification has been submitted, the one month deadline for providing a response is effectively paused until the individual responds.
This will be met with great fanfare by organisations and employers. Previously, it was virtually impossible to compile a general request for “all my personal data” made by an individual employed by an organisation for a number of years within the original deadline of one month from the date the organisation receives the DSAR.
The guidance states that clarification should only be sought where “it is genuinely required in order to process the DSAR; and you process a large amount of information about the individual”. A “large amount of information” is not defined, however; the guidance suggests that this will depend on the organisation’s size and resources, and their ability to actually locate and retrieve all of the requested information by conducting a “reasonable search.” Emphasis here should be placed on the word “reasonable." Once again, the ICO is reminding organisations that responding to a DSAR is not a “leave no stone unturned” exercise.
The “reasonable” approach is further detailed in the examples chosen by the ICO. One features an ex-employee requesting “all the information you hold on me.” The example goes on to state that it is not clear from the request what the individual wants and that the correct approach is to explain to the individual that “whilst they are entitled to request all the information held about them, the [organisation] is only required to conduct a reasonable search of their records…[and therefore] the individual may only receive some of the information held about them.”
Many organisations may think that the guidance has not gone far enough. Unfortunately for them, it stresses that there is no obligation on individuals to clarify their request and that any refusal to do so means the original request must still be complied with; albeit with “reasonable searches.”
Finally, where clarification has been sought from the requestor but the organisation does not receive a response after a reasonable period of time (one month), the organisation can consider the matter closed.
2. Manifestly excessive requests
Previously loosely defined and the cause of great confusion, the ICO has now provided further clarity as to what a “manifestly excessive” DSAR might be. A “manifestly excessive” request will be “clearly and obviously unreasonable”, according to the guidance. Once a request is deemed “manifestly excessive,” the organisation does not have to comply with it. Factors that organisations should consider are as follows:
- The nature of the requested information;
- The organisation’s available resources;
- The damage a refusal to provide information to the requestor or acknowledge the DSAR may cause; or
- The context of the request, and the relationship between you and the individual.
The final two factors should be of particular interest to employers/organisations. These could be viewed as an ICO acknowledgement of the use of DSARs in legal proceedings, whether by a company attempting to subdue an ex-employee by burying them in paper work, or by a long-standing ex-employee making a general request for all of their personal data for the sole reason that this will be a significant financial burden on the company.
Fundamentally, organisations dealing with requests should remember that just because an individual’s request is for a large amount of information, it will not automatically be considered manifestly excessive. Any and all reasons as to why an organisation believes the request is manifestly excessive should be considered with the view in mind that they will be scrutinised by an ICO representative.
3. Charging a fee for excessive, unfound or repeat requests
The ability for an organisation to charge a fee for responding to manifestly unfounded, excessive or repeat requests rather than refusing to comply, has also been given further clarity in the updated guidance. The guidance states that a fee should take into account any administrative costs, such as locating the information, liaising with the individual, providing the information to the individual. Importantly, the guidance clarifies that the reasonable fee could include staff time, i.e the estimated time it will take staff to comply with the request, charged hourly at a reasonable rate.
The guidance is careful not to state limits on fees, although section 12(1) of the Data Protection Act 2018 does give the Secretary of State this discretion. This update is again an endorsement by the ICO of the vast costs that can be attributed to DSARs. Any fee should be requested in advance and should detail how the fee is calculated. Crucially, the guidance provides the organisation with the discretion to ignore the request until the fee has been received. Whilst the criteria for charging fees should be available on request, there is no obligation for the organisation to make it available online. Organisations should expect to be able to robustly justify any associated fees to the ICO.
As above with a request for clarification, where a request for a fee has been submitted and is not received within one month, the organisation can treat the request as closed.
The updated guidance therefore shows that the ICO has understood the concerns of organisations. The ability to clarify, the ability to charge a fee, and a clearer definition of “manifestly excessive” will come as a great relief to organisations so often put on the back foot by DSARs. The administrative burden on organisations remains high but, recognising the increasing value of personal data, the guidance does not diminish or negate the importance or data transparency. However, the new measures will go some way to mitigating unnecessary requests, facilitating better dialogue between the requestor and the requestee, and closing requests where dialogue has ceased.