Updated ICO Guidance on responding to DSARs
Key Contact: Claire Knowles
Author: Rebecca Mahon
This month, the Information Commissioner’s Office published updated guidance on dealing with subject access requests. Notably, they have reinstated guidance (which was previously withdrawn) which says that asking an individual to clarify the scope of their request will “stop the clock” on the time for responding.
The ambiguity over whether or not a request for clarification regarding the scope of the request will “stop the clock” arises out of Recital 63 of the GDPR, which states:
“…Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates” (emphasis added).
The original guidance accompanying the GDPR stated that a clarification request would “stop the clock”. However, in January 2020, the guidance was amended to state:
“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request [(see recital 63, GDPR)]. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.
When this change was introduced, it was met with a lot of criticism due to the practical issues it created. A business would potentially be totally unclear about what data an individual is seeking to receive, but nonetheless had to respond within one month irrespective of whether the individual clarified their request or not during that time.
Thankfully, the original interpretation of Recital 63 is now reflected once again within the guidance, with helpful examples which explain why clarification can sometimes be necessary for businesses. However the new guidance specifically states that businesses should not seek clarification on a blanket basis, and it should only be sought where:
- It is genuinely required in order to respond; and
- You process a large of amount of information about the individual.
The guidance is keen to emphasise that whether or not you process a “large amount of information” will in part depend on the size of the organisation and available resources. An organisation with a dedicated data protection team is unlikely to be able to rely on clarification to stop the clock if in reality they have the resource to provide the requested information quickly and easily.
Please note that the new guidance does not change the fact that you cannot force an individual to clarify or narrow the scope of their request, and information should always be provided without undue delay (including, where relevant, providing data as and when it is “ready”, rather than holding on to it to provide everything in one tranche). If an individual refuses to clarify their request, you must still comply with their request by making reasonable searches for the information. However, in such circumstances, you may be able to argue that the request is manifestly unfounded or excessive.
Manifestly unfounded or excessive
The new guidance also provides useful updated guidance on when a request might be reasonably deemed to be manifestly unfounded or excessive. It restates original guidance that a request is not necessarily excessive just because an individual requests a large amount of information. Interestingly, it highlights that if an individual makes a request, but offers to withdraw it in return for some benefit from the organisation, this could be relied upon in determining that the request was manifestly unfounded. This may impact how often we see individuals submitting requests maliciously and/or for nuisance value. Ultimately however, the guidance states that the inclusion of the word “manifestly” means that “there must be an obvious or clear quality to unfoundedness/excessiveness” and urges processors to have strong justifications if they want to rely on the request being manifestly unfounded or excessive to not respond to a request, or charge a fee (see below). The organisation should be prepared to share these justifications with the individual and the ICO.
Finally, and very interestingly for businesses, the new guidance suggests that a “reasonable fee” to be charged to an individual for complying with a manifestly unfounded or excessive request could include staff time. Under the old data protection rules, businesses could charge a maximum of £10 for responding to a request. As such, whilst the cap on fees was removed by the GDPR and DPA 2018, businesses and lawyers alike have interpreted “reasonable fee” in line with the old limits. However, the new guidance brings this interpretation into question.
The guidance emphasises that in most cases, a business cannot charge a fee. It can only do so where the request is manifestly unfounded or excessive (see above). However, if this threshold is overcome, the guidance states that a reasonable fee could include:
- photocopying, printing, postage and any other costs involved in transferring the information to the individual (e.g. the costs of making the information available remotely on an online platform);
- equipment and supplies (e.g. discs, envelopes or USB devices); and
- staff time, which should be based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate.
It is worth noting that the DPA 2018 allows for the Secretary of State to specify limits on the fees that controllers may charge to deal with a manifestly unfounded or excessive request. However, at present there are no regulations in place.
If you have received a data subject access request, or need assistance with your data protection obligations, please contact our employment or technology and communications team. Please also see our recent webinar here.