ICO Issues new Data Subject Access Request (DSAR) Guidance

The ICO’s recently updated DSAR guidance will be welcomed by many organisations grappling with DSARs.  The Guidance is lengthy at 81 pages long, but there are a number of key clarifications which can be summarised as follows:

1) Stopping the clock while clarifying the DSAR

The new guidance enables a data controller to stop the clock where clarification is needed.  This allows the DSAR timescale response to be extended by the period taken by the data subject to provide the clarification.  The data controller should issue a clarification request as quickly as possible, should only seek clarification where actually required to comply with the DSAR and advise the data subject that the clock is being stopped.  If the data subject fails to provide any further information, then the data controller should still carry out a reasonable search.

2) Rejecting a Manifestly unfounded or excessive request

A data controller is already entitled to refuse to respond to a DSAR if it can show that the request is “manifestly unfounded or manifestly excessive.” However, the ICO guidance gives more instruction in relation to how a data controller should assess whether a request can be refused on this basis.

The key message is that each DSAR must be considered on its own merits and a blanket approach to DSARs is not permissible.  Also, data controllers will need to provide a strong justification for request refusal.

When determining whether a DSAR is “manifestly excessive”, a data controller must decide whether a request is clearly or obviously unreasonable, taking all the circumstances of the request into account. The assessment should take the following into account:

• the nature of requested information;
• the context of the request,
• the relationship between the data controller and the data subject;
• the resources available, including costs involved;
• whether the DSAR largely repeats previous requests without a reasonable interval having elapsed; and
• whether the DSAR overlaps with others.

A DSAR may be “manifestly unfounded” if the data subject has no intention of exercising their right of access or the request is malicious.

3) Charging for excessive, unfounded or repeated DSARS

As an alternative to DSAR refusal, a data controller may charge a fee for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive, or an individual requests further copies of their data following a request. Although there is no need for data controllers to publish the criteria for calculation of fees, the fees should be clear, concise and capable of justification.  If a data controller decides to charge a fee it does not have to comply with the DSAR until the fee has been received.

Data Controllers can include the costs of:

• assessing whether the organisation is processing the information
• locating, retrieving and extracting the information
• providing a copy of the information
• communicating the response
• photocopying, printing, postage, and other costs in transferring information; and
• staff time charged at a reasonable hourly rate

Conclusion

The updated guidance is certainly helpful, particularly the “stop the clock” provision which will be a useful tool for data controllers who need further information to enable them to complete the search. Rejecting a DSAR or charging a fee on the grounds that it is manifestly excessive or unfounded will rarely happen, but the steps to be followed by data controllers are now well defined.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection team at Cleaver Fulton Rankin for further advice or information.

---