ICO says that the right of access is a fundamental right under data protection law.
The ICO has issued guidance on the right of access under the GDPR. The guidance covers in more detail themes introduced in the ICO’s general guide to data protection, and is aimed at data protection officers and those with specific data protection responsibilities in larger organisations
The guidance was published for consultation in late 2019 and three key sections have been added to it as a result of the consultation:
The guidance considers what the right of access is and how organisations should prepare for receiving requests, and how to recognise them in light of the fact that the GDPR does not prescribe formal wording for requesting access. It then goes on to consider when organisations may refuse to comply with a request, for example if an exception applies, or, as mentioned above, if it is manifestly unfounded or manifestly excessive. The guidance also explains about the various exceptions, such as, for example, exam results, confidential references and management information.
Among other things, the guidance considers the special cases of health, social work and education data, as well as the enforcement powers of the ICO in relation to subject access requests generally.
There is also guidance on how to retrieve information, how to supply it to the person who has requested it, and how to deal with special cases such as unstructured manual records and credit files and information which also involves other people.
The guidance culminates with the issue of enforced SARs which it says are often a criminal offence and can be better resolved by following other processes such as the criminal record disclosure regime or obtaining medical records.
The ICO says that the right of access is key to improving customer trust and handling access requests appropriately helps organisations to build trust.