ICO issues more detailed guidance on Subject Access Requests

October 21, 2020

The ICO has issued guidance on the right of access under the GDPR. The guidance covers in more detail themes introduced in the ICO’s general guide to data protection, and is aimed at data protection officers and those with specific data protection responsibilities in larger organisations

The guidance was published for consultation in late 2019 and three key sections have been added to it as a result of the consultation:

  • Stopping the clock for clarification – one issue which the ICO received a lot of feedback on was that seeking clarification on requests often did not leave enough time to respond. As a result, the ICO’s position now is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
  • What is a manifestly excessive request – to combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance to help and broadened its definition.
  • What can be included when charging a fee for excessive, unfounded or repeat requests – the ICO has taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up SARs, and has updated what organisations can take into account when charging an administration fee.

The guidance considers what the right of access is and how organisations should prepare for receiving requests, and how to recognise them in light of the fact that the GDPR does not prescribe formal wording for requesting access. It then goes on to consider when organisations may refuse to comply with a request, for example if an exception applies, or, as mentioned above, if it is manifestly unfounded or manifestly excessive. The guidance also explains about the various exceptions, such as, for example, exam results, confidential references and management information.

Among other things, the guidance considers the special cases of health, social work and education data, as well as the enforcement powers of the ICO in relation to subject access requests generally.

There is also guidance on how to retrieve information, how to supply it to the person who has requested it, and how to deal with special cases such as unstructured manual records and credit files and information which also involves other people.

The guidance culminates with the issue of enforced SARs which it says are often a criminal offence and can be better resolved by following other processes such as the criminal record disclosure regime or obtaining medical records.

The ICO says that the right of access is key to improving customer trust and handling access requests appropriately helps organisations to build trust.