Last week, the ICO published new detailed guidance (the Guidance) on how organisations should handle data subject access requests (DSARs).
What are DSARs?
DSARs are requests for information (personal data, confirmation of processing and other supplementary information) made by an individual (a Data Subject) to a ‘data controller’. Often these are made by an employee or ex-employee to their employer or ex-employer. DSARs are often financially cumbersome and can take up a significant amount of time and resources, especially when drafted in terms of “all personal data that you hold about me”.
A draft version of the Guidance was put out for consultation back in December 2019. The ICO has taken on-board the feedback received in finalising the Guidance and has responded to 3 particular points which came out of the consultation exercise.
Stopping the clock for clarifications
Under the Guidance, organisations are now able to ‘stop the clock’ in order to seek clarification of a DSAR. The Guidance states that clarifications cannot be sought on a blanket basis and can only be requested where it is genuinely required by the organisation in order to respond to the DSAR and the organisation processes a large amount of information about the Data Subject.
When seeking clarification, an organisation can ask the Data Subject to provide additional details about the information they want to receive but cannot force a Data Subject to narrow the scope of their request. Where the Data Subject refuses to provide additional information, the organisation must still comply with the original request by making reasonable searches for the information.
Clarification must be sought as early as possible within the first month and should explain why clarification is being sought, provide advice to help the Data Subject provide the necessary clarification and explain the impact on the time limit for any personal data to be provided.
If an organisation decides to seek clarification, the timescale for responding extends by the same amount of time as the Data Subject takes to provide the clarification, and if the Data Subject fails to respond within a reasonable period of time, the organisation can consider the request ‘closed’. However, where it is suspected that a Data Subject is having difficulty in providing additional details within a specified timeframe, the organisation should try and accommodate the Data Subject as much as possible.
‘Manifestly excessive’ requests
The Guidance states that in order to determine whether a request is manifestly excessive, the organisation should consider whether it is ‘clearly or obviously unreasonable’. This should be based on whether the request is proportionate when balanced with the burden of costs involved in dealing with it. Organisations should consider a number of factors including their available resources, the nature of the requested information, the context of the request and their relationship with the Data Subject and whether not complying would cause substantive damage to the Data Subject.
The Guidance reiterates the importance of considering each request on an individual basis and reminds employers that a request is not necessarily excessive just because the Data Subject requests a large amount of information.
What is a ‘reasonable fee’ for complying with a manifestly excessive or unfounded DSAR?
Rather than refusing to comply with manifestly excessive (or unfounded) DSARs, the Guidance confirms that organisations can charge a ‘reasonable fee’ to the Data Subject in order to comply with their request. This can include the cost of staff time in complying with the DSAR, charges associated with transferring the data including photocopying, printing, and postage as well as equipment costs for USB sticks etc. When determining a reasonable fee, the Guidance states that organisations can take into account the administrative costs related to assessing, locating and copying the information as well as communicating with the Data Subject. If the organisation decides to charge the Data Subject for staff time, the charge should be based on the estimated time it will take staff to comply with the specific request, and should be charged at a reasonable hourly rate (determined by the organisation).
The ability to ‘stop the clock’ pending clarification of the scope of a request will be welcomed by employers but must be exercised as soon as possible following receipt in order to be of maximum benefit. Additional guidance around the meaning of “manifestly excessive” is also helpful. We tend to see employers simply refuse to comply with a request which they consider to be manifestly excessive so greater clarity around what can be charged as a fee for compliance may mean that some employers offer the Data Subject the choice to pay instead but given that compliance can cost tens of thousands of pounds it is unlikely that many Data Subjects would be able and/or willing to pay even a small part of that.
We have seen a significant rise in DSARs being made over the past few years and have the facilities and knowledge to assist in responding to them.
If you have any questions relating to the Guidance or would like assistance in handling and complying with a DSAR, then please contact any member of the team.