- Solicitors For Business
- Solicitors For You
- Armed Forces Claims
- Clinical Negligence
- Court of Protection
- Criminal Defence
- Driving Offences
- Family Law
- Intellectual Property
- Media Law
- Personal Injury
- Personal Immigration Services
- Personal Insolvency
- Professional Regulation and Discipline
- Residential Real Estate
- Wills, Trusts & Estate Planning
- Will Disputes
- About Us
- News & Events
Updated guidance on Subject Access Requests by the ICO – What’s new?26th October 2020 Media Law
The Information Commissioner’s Office (ICO) has updated its guidance on Subject Access Requests (“SARs”).
SARs are requests made by individuals to organisations for a copy of their personal data held by that organisation. The right of access is a fundamental right for individuals under data protection law. The new guidance comes after a consultation in December 2019 in which organisations (predominantly those responding to SARs) called for clarification on some aspects of the data protection law.
How to recognise a SAR
There are no formal requirements for a SAR to be valid. It can be made in writing or verbally. The new guidance notes that SARs can be made by social media. An individual can make a SAR to any part of an organisation and they do not have to direct it to a specific person or contact point who usually handles SARs. Many companies have standard forms for individuals to make a request. The new guidance explains that while these forms can make it easier for companies to recognise a SAR it is not compulsory for an individual to use the form and a SAR made in another way e.g. by letter is equally valid.
Can an organisation seek to “clarity” a SAR?
If a company processes a large amount of information about the individual making the SAR, the new guidance explains that companies can clarify the request. Companies can ask the individual to specify the information they are requesting. The time limit for responding to the request is “paused” until you receive clarification. This is referred to as ‘stopping the clock’. Companies can also ask the individual for ID to satisfy itself that the data held relates to the individual in question. The key point is that they must be reasonable and proportionate about what they ask for. ID should not be requested if the requester’s identity is obvious to the company, for example where there is an ongoing relationship such as employer and employee.
What is a “manifestly excessive” SAR?
A SAR can be refused if it is deemed to be manifestly unfounded or manifestly excessive.
The new guidance gives a clearer definition of both of these situations:
- Manifestly unfounded: the individual clearly has no intention to exercise their right of access or the request is malicious in intent, harassing the organisation with no real purpose other than to cause disruption. Examples include explicitly stating the intention is to cause disruption, unsubstantiated accusations prompted by malice and systematically sending different requests as a part of a campaign. Organisations must consider a SAR in the context in which it is made, aggressive language is not acceptable but it does not necessarily make a request manifestly unfounded.
- Manifestly excessive: an organisation must firstly consider if the request is clearly or obviously unreasonable. The basis of this is whether it is proportionate when balanced with the burden or costs involved in dealing with the request. A number of things must be taken into account including:
- The nature of the requested information
- The context of the request, and the relationship between individual and company
- Whether refusal to provide information may cause substantive damage to the individual
- The available resources
- Whether the request largely repeats previous requests and a reasonable interval has not elapsed; or
- Whether it overlaps with other requests.
The guidance makes it clear that a request for a large amount of information is not necessarily excessive. Companies must consider all the circumstances and clarify the request with the individual.
The Acting Director of Regulatory Assurance at the ICO, Ms Anulka Clarke explained “We know it’s a difficult time. We hope this guidance is going to be useful for organisations across the board, especially during the COVID-19 pandemic, as it will give them more insight into how to deal with SARs and access the information they need quickly and easily.”
This new guidance may well prove useful to organisations and will be welcomed by many struggling to deal with SARs. Given that the guidance follows a consultation with predominantly data controllers (350+ according to the ICO) rather than data subjects it is clear that it seeks to ease some of the regulatory burden on organisations.
A specific benefit to companies is the new ‘stop the clock’ guidance, where clarification is sought as to what the individual is actually asking for. This may be used tactically by some companies coming to the end of the statutory time limit in which to comply to try and buy themselves more time. It may be used as additional “buffer” time. In practical terms, many companies already seek such clarifications and most individuals are more than happy to be specific about what, exactly, they want to see – some people want to see “everything” an organisation holds about them, but most do not. The ICO’s clarification potentially puts an onus on the individual to consider limiting their request, despite the fact that it is well within their fundamental right to seek all information a company holds on them.
Ultimately, if a data subject is not happy with the approach adopted by an organisation in responding to a SAR, they may (as the ICO acknowledges) complain to the Court and seek compliance with their data rights. The Courts therefore may have the final say on the impact of the ICO’s new guidance.