Subject Access Requests – Common Questions Answered
The Information Commissioner’s Office (“ICO”) is the UK’s independent data compliance organisation which governs all matters concerning personal data from ensuring individuals (“data subjects”) personal data rights to enforcing fines and notices against companies which breach data protection rules.
Data subjects have the right to access and receive a copy of their personal data which organisations (or data controllers) hold. This is commonly referred to as a subject access request (“SAR”).
SAR’s may be made verbally or in writing and may be made by a third party on behalf of another person. Organisations usually have one month to action and comply with SAR’s and the data should be in a clear, intelligible format. Organisations can only refuse to deal with a SAR if an exemption or restriction applies, or if the SAR is manifestly unfounded or excessive.
Each SAR should be reviewed on a case-by-case basis to determine what data the subject is requesting and how the organisation should respond in a compliant way.
Three common questions which have been asked by organisations to the ICO include:
Can organisations stop the clock for clarification?
In certain circumstances, organisations may temporarily ‘freeze’ the one-month time limit to respond to SAR’s. This may be the case if an organisation holds a large amount of data about the individual and the request for information is not clear.
Organisations should not apply a blanket policy to ‘stop the clock’ simply because the request is for a substantial amount of information. They can only pause the time in responding to a request if clarification is genuinely required for that specific request and the organisations holds a large amount of data about the individual.
What does manifestly excessive mean?
You should balance the proportionality and volume of the request with the burden and costs in dealing with it; to determine whether the request is manifestly excessive.
Factors to consider include: the nature of the requested information, the context of the request, your available resources, whether the request largely repeats previous requests and whether refusal to provide the information may cause substantive damage to the individual.
Organisations should not adopt a blanket policy when dealing with voluminous requests, as each should be considered on a case-by-case basis.
What can be included when charging a fee for excessive, unfounded or repeat requests?
When determining to charge a reasonable fee, you can consider the administrative costs of reviewing the request, locating the information, copying the information and communicating the response to the individual.
Administrative costs may include: photocopying, printing and posting the information to the requestor, staff time (calculated at a reasonable hourly rate) and equipment and supplies (ie USB devices or discs).
It would be good practice, before dealing with any request, to detail the circumstances for which you may charge a reasonable fee, your standard charges (ie costs breakdown), and how you calculate the fee (including staff hourly rates). Charged costs must be justifiable in the event the requestor complains to the ICO.
If you choose to charge a fee, you do not need to comply with the request until you have received the fee.
If your business would benefit from assistance when dealing with SAR’s, contact Chadwick Lawrence’s Regulatory team today on 01484 519 999 or email Harveyblake@chadlaw.co.uk or Nicholasworsnop@chadlaw.co.uk
- Like this ? Share with friends