Hit "Enter" to search or "Esc" to close.

Your privacy is important to us.

This website uses cookies to help deliver its services. By using this website, you agree to the use of cookies as outlined in our Cookie Policy.

  • Home
  • Sectors & Solutions
    • Brexit Legal Support
    • Charities & Social Enterprises
    • Energy & Renewables
    • InterTradeIreland Emergency Business Solutions
    • Manufacturing Law
    • Property Developers & Construction
    • Technology Law
    • The Legal Technology Group
    • eDiscovery
    • CFR HR
    • ESG Hub
  • Expertise
    • Banking & Finance
    • Commercial
    • Commercial Real Estate
    • Construction
    • Corporate & M&A
    • Data Protection
    • Dispute Resolution
    • Employment
    • Planning & Environment
    • Foreign Direct Investment
    • Insolvency & Business Restructuring
    • Intellectual Property & Technology
    • Personal Legal Matters
    • Private Equity & Venture Capital
    • Public Procurement
    • Public & Administrative
    • Tourism & Licensing
  • People
    • People
    • Join Our Team
    • Trainee Programme
  • News & Insights
    • News
    • Legal Insights
    • Social
  • About
    • About Us
    • Clients
    • Corporate Social Responsibility
  • Legal Technology
    • The Legal Technology Group
    • Frequently Asked Questions
    • Insights
    • Electronic Discovery Reference Model
  • ESG Hub
  • Get In Touch
Cleaver Fulton Rankin Solicitors, Belfast Logo
Contact
  • Sectors & Solutions
    • Brexit Legal Support
    • Charities & Social Enterprises
    • eLearning
    • Energy & Renewables
    • InterTradeIreland Emergency Business Solutions
    • Legal Technology
    • Manufacturing Law
    • Property Developers & Construction
    • Technology Law
    • CFR HR
    • ESG Hub
  • Expertise
    • Banking & Finance
    • Business & Private Immigration
    • Commercial
    • Commercial Real Estate
    • Construction
    • Corporate & M&A
    • Data Protection
    • Dispute Resolution
    • eDiscovery
    • Employment
    • Planning & Environment
    • Foreign Direct Investment
    • Insolvency & Business Restructuring
    • Intellectual Property & Technology
    • Personal Legal Matters
    • Private Equity & Venture Capital
    • Public Procurement
    • Public & Administrative
    • Tourism & Licensing
  • People
    • People
    • Join Our Team
    • Trainee Programme
  • News & Insights
    • News
    • Legal Insights
    • Social
  • About
    • About Us
    • Clients
    • Corporate Social Responsibility
  • Legal Technology
    • The Legal Technology Group
    • Frequently Asked Questions
    • Insights
    • Electronic Discovery Reference Model
  • ESG Hub
  • Get In Touch
Contact

ICO Issues new Data Subject Access Request (DSAR) Guidance

< Back to Legal Insights

The ICO’s recently updated DSAR guidance will be welcomed by many organisations grappling with DSARs.  The Guidance is lengthy at 81 pages long, but there are a number of key clarifications which can be summarised as follows:

1) Stopping the clock while clarifying the DSAR

The new guidance enables a data controller to stop the clock where clarification is needed.  This allows the DSAR timescale response to be extended by the period taken by the data subject to provide the clarification.  The data controller should issue a clarification request as quickly as possible, should only seek clarification where actually required to comply with the DSAR and advise the data subject that the clock is being stopped.  If the data subject fails to provide any further information, then the data controller should still carry out a reasonable search.

2) Rejecting a Manifestly unfounded or excessive request

A data controller is already entitled to refuse to respond to a DSAR if it can show that the request is “manifestly unfounded or manifestly excessive.” However, the ICO guidance gives more instruction in relation to how a data controller should assess whether a request can be refused on this basis.

The key message is that each DSAR must be considered on its own merits and a blanket approach to DSARs is not permissible.  Also, data controllers will need to provide a strong justification for request refusal.

When determining whether a DSAR is “manifestly excessive”, a data controller must decide whether a request is clearly or obviously unreasonable, taking all the circumstances of the request into account. The assessment should take the following into account:

  • the nature of requested information;
  • the context of the request,
  • the relationship between the data controller and the data subject;
  • the resources available, including costs involved;
  • whether the DSAR largely repeats previous requests without a reasonable interval having elapsed; and
  • whether the DSAR overlaps with others.

A DSAR may be “manifestly unfounded” if the data subject has no intention of exercising their right of access or the request is malicious.

3) Charging for excessive, unfounded or repeated DSARS

As an alternative to DSAR refusal, a data controller may charge a fee for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive, or an individual requests further copies of their data following a request. Although there is no need for data controllers to publish the criteria for calculation of fees, the fees should be clear, concise and capable of justification.  If a data controller decides to charge a fee it does not have to comply with the DSAR until the fee has been received.

Data Controllers can include the costs of:

  • assessing whether the organisation is processing the information
  • locating, retrieving and extracting the information
  • providing a copy of the information
  • communicating the response
  • photocopying, printing, postage, and other costs in transferring information; and
  • staff time charged at a reasonable hourly rate

Conclusion

The updated guidance is certainly helpful, particularly the “stop the clock” provision which will be a useful tool for data controllers who need further information to enable them to complete the search. Rejecting a DSAR or charging a fee on the grounds that it is manifestly excessive or unfounded will rarely happen, but the steps to be followed by data controllers are now well defined.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection team at Cleaver Fulton Rankin for further advice or information.


« Previous Article
Next Article »

How can we help you?


Call us on the Belfast number below or send us a message and one of our team will be in touch.

028 9024 3141
Send us a Message

How can we help you?


Contact
GDPR Compliance *

Related Areas


  • Data Protection
Cleaver Fulton Rankin Logo

Belfast Commercial Law Firm:

Cleaver Fulton Rankin,
50 Bedford Street,
Belfast, BT2 7FW

Tel: 028 9024 3141
E: info@cfrlaw.co.uk

Social Media Icon Social Media Icon Social Media Icon Social Media Icon

Privacy Policy
Cookie Policy
Disclaimer

© 2022 Cleaver Fulton Rankin - Solicitors, Belfast
Created by WebsiteNI

Current Awards

Award
Award
Award
Award
Award
Award
Award
Award
Award

Social Media Icon Social Media Icon Social Media Icon Social Media Icon

Privacy Policy    |    Cookie Policy    |    Disclaimer

© 2022 Cleaver Fulton Rankin - Solicitors, Belfast    |    Created by WebsiteNI

© 2022 Cleaver Fulton Rankin - Solicitors, Belfast    |    Responsible Business    |    Privacy Policy    |    Cookie Policy    |    Disclaimer    |    Created by WebsiteNI

Social Media Icon Social Media Icon Social Media Icon Social Media Icon