ICO publishes guidance on subject access under the GDPR.
Background
On the 21 October 2020, the Information Commissioner’s Office (ICO) published detailed guidance for organisations on how to deal with subject access requests (SARs) under the GDPR. The guidance explains what rights individuals have to access their personal data and the obligations on controllers.
It is important for organisations to understand their obligations as controllers in relation to subject access to ensure compliance with the GDPR and the Data Protection Act 2018.
This article summarises some of the main issues raised in the feedback received by the ICO when the draft guidance was sent out for consultation.
What is subject access?
Subject access is a fundamental right of individuals to obtain a copy of their personal data and any supplementary information from a controller. Individuals have the right to receive information, including, the controller’s purpose for processing, categories of personal data it is processing and recipients of that personal data.
Responding to a SAR and ‘stopping the clock’
An organisation must comply with a SAR without undue delay and at the latest within one month calculated from the date of receiving the request. This time limit can be extended by an additional two months if the request is ‘complex’ or a number of requests have been received from the same individual.
Determining the level of complexity of a request will always depend on the specific circumstances of each case. An organisation should consider its size and the resources available to it, as what is complex to one entity may not be to another. Furthermore, the ICO has listed various factors that may indicate greater complexity, including, technical difficulties in retrieving the information, clarifying potential confidentiality issues and the need to obtain legal advice.
Any organisation that does decide it is necessary to extend the time limit must inform the individual and explain its reasons for doing so within one month of receiving the request.
However, where an organisation is processing a large amount of information about an individual and it is unclear what information is being requested, it can ask the individual to clarify his or her request and specify what information and/or processing activities their request relates to. The time limit for responding to the individual’s request is then paused and the organisation does not need to provide the individual with the requested information until clarification is received (i.e. “stopping the clock”). Whether an organisation holds a large amount of information will again depend, in large part, on its size and resources.
Refusing to comply with a SAR
An organisation may be able to refuse to comply with a SAR in whole or in part, where an exemption applies (these are listed in the guidance accompanied with practical examples), or if the SAR is either ‘manifestly unfounded’ or ‘manifestly excessive’.
A SAR may be deemed manifestly unfounded if it is clear the individual has no intention of exercising their right of access, or where the request is malicious in intent and being used to harass the organisation with no real purpose except to cause disruption. In determining this, an organisation should consider the context and whether the individual genuinely wishes to exercise his or her rights.
The ICO has confirmed that assessing whether a SAR is manifestly excessive requires the organisation to consider whether it is clearly or obviously unreasonable. The assessment should take into account all the circumstances of the SAR, such as the nature of the requested information, relationship between the individual and organisation and its available resources, to determine whether the request is proportionate when balanced with the burden of the costs involved in dealing with it.
If an organisation decides not to comply with a SAR, it must inform the individual of the reasons why, their right to make a complaint to the ICO or another supervisory body and their ability to seek to enforce their right through the courts.
Charging a fee
Generally, an organisation may not charge a fee for complying with a SAR. However, a ‘reasonable fee’ may be charged for unfounded, excessive or repeat SARs. The ICO clarifies that the reasonable fee can include the costs of staff time, copying, posting and equipment or supplies.
The ICO advises controllers to establish a set of criteria detailing the circumstances in which a fee is charged, the organisation’s standard charges and how it calculates a fee, which should be made available upon request, although it does not need to be published online.
The full guidance can be accessed via this link. If you have any questions about the issues raised in this article, or on GDPR compliance generally, please do not hesitate to contact us by emailing [email protected].