Data Protection: Sar Times

Background

Data subjects have had the right to access personal data held about them since the introduction of the Data Protection Act 1998. Some changes were introduced under GDPR, one being the timescale to comply with a request which was shortened from 40 days to one month. ICO guidance issued at the time, advised that time should run from the day after you receive a request until the corresponding date in the following month.

Change to Time Limit

Just this month however, the ICO has changed its advice and announced that time should run to include the day on which the Subject Access Request (SAR) has been received. In practice, this means that if you receive a SAR on 3 June, the deadline to respond will be 3 July and not 4 July as previously understood.

The reason for this change is a European Regulation, which governs time limits and a Court of Justice case which interpreted the Regulation, to mean that a deadline is the corresponding date in the following month.

Do we need to do anything in response?

Although it is a minor change in that time is shortened by one day only, it is nonetheless worth actioning the following:

• Updating any internal Data policies or SAR policies to clarify response deadlines;
• Notifying staff with responsibility for dealing with SARs

In the event that the ICO ever audit your organisation or review your policies and procedures in dealing with a complaint, this will demonstrate that you take your data protection obligations seriously and actually action guidance issued.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Employment Team at Cleaver Fulton Rankin for further advice or information.