Back in December of 2019 the Information Commissioner’s Office (ICO) held a consultation outlining guidance for dealing with Data Subject Access Requests (DSARs.) DSARs are requests from individuals asking organisations what personal data they are using and/or storing about them. An individual’s right to access, amend, transfer and erase the personal data and organisation holds about them are fundamental principles of the General Data Protection Regulations (GDPR.)
Recently the ICO published a new guide clarifying key information, including how organisations should respond to these requests.
According to the guide, organisations must respond as soon as possible to a DSAR, however they may take up to no more than one calendar month from the day the request is received. If the request is particularly complex or many are received at one time, the organisation may take a maximum of three calendar months to respond. The guide also outlines that the time limit can be paused if the individual does not specify what personal information they would like access to or if the request is amorphous and vague. At this point, the organisation can contact the requester and ask for clarification. The time limit resumes when the request is clarified. It is important to note that organisations must only ask for clarification if it is necessary in order to respond or if there is a large amount of information to process.
A company can refuse to respond to a DSAR outright if it is believed to be manifestly unfounded or excessive. Adequate proof must be provided to deny a request, but this could include:
- the individual stating they intend to cause disruption by making the DSAR
- the individual inferring they are targeting a particular employee
- the individual frequently makes multiple complex requests, without a clear rationale.
The organisation must consider DSARs on a case by case basis and must not apply a blanket disregard. Alternatively the guide also states that the organisation can agree to respond to potentially unfounded or excessive requests for a fee. The charge should be proportionate to that of staff time and equipment used to fulfil the request.
It is worth noting that the requirement to respond to DSARs is not limited to commercial organisations. Charities, not-for-profit, public authorities and educational establishments are all required to comply with requests and the time limits regardless of their resources to do so. However, it may be possible to make use of the extension of time if an organisation encounters complexity in replying as a function of its nature, for example, if the organisation is managed by volunteers or has lower staffing levels during holiday periods.
With this new guide, the ICO have thoroughly clarified their information and standards on how companies should respond to DSARs. More details and advice can be found on the ICO Website.