Legal briefing | |

Does the ICO's new guidance on DSARs help organisations take a more pragmatic approach in their response?

Overview

On 21 October 2020, the ICO published an updated version of its Right of Access guidance ("the Guidance"), which followed a period of consultation earlier this year.

In general, we thought the Guidance is helpful for businesses and reflects a number of points we raised in our Firm response to the consultation. Our response was based, in part, on our experience in helping clients with their responses to data subject access requests ("DSARs"), and some of the issues which they have faced. In this briefing, we take a look at the main changes in the Guidance, and what they will mean for your business in order to help you respond to a DSAR.

Seeking clarification and stopping the clock

Before responding to a DSAR request, you may ask the requesting individual for clarification in relation to:

  • the information they are requesting, or
  • the processing activities their request relates to.

The usual one month time limit for responding to the request will now pause until you receive a response to your request. This is referred to as 'stopping the clock'.

You should only seek clarification if:

  • it is genuinely required in order to respond to a DSAR because it is not clear what information the individual is requesting; AND
  • you process a large amount of information about the individual.

Both criteria must be fulfilled if you are seeking a clarification and wish to 'stop the clock'; so if the DSAR is unclear, but you do not hold a large amount of information about the individual the clock will not be stopped if you seek clarification and you are expected to process the request and provide any information you do hold about the individual within the one month timeframe. It's worth noting that you are not required to seek a clarification and you may choose to perform a reasonable search instead. This may be preferable to going back and forth with a data subject about what information they are requesting if the DSAR is more general and does not specify any parameters for the search.

Setting a new deadline when the clock is "stopped"

If the clock has been "stopped" because you have sought clarification, the time limit for responding to the DSAR stops on the day you request a clarification and does not resume until the day you receive the clarification from the requestor; for example if you receive the DSAR on 1 November, your response is due 1 December. On 3 November you request a clarification. The requestor does not provide the clarification until the 8 November. The clock was stopped for 5 days from the 3-8 November. Your deadline for responding to the DSAR is extended by 5 days to the 6 December.

If you seek clarification and receive it on the same day the clock does not stop as the extension to the time limit is calculated in terms of days, not hours. You must explain to the requestor that the clock stops from the date that you request clarification and will resume once they respond. If you seek clarification, but do not receive a response, you should wait for a reasonable period of time before considering the request ‘closed’. A reasonable period is not defined in the Guidance, so specifying a timeline for the requestor to provide the clarification provides a useful measurement for determining a reasonable period before closing a request.

As a reminder, you are also permitted to extend the time limit for responding to a DSAR by up to two months if the request is complex or the individual has made a number of requests. This extension can be applied in addition to 'stopping the clock' to seek clarification, so long as the individual is notified with the reason(s) why this is necessary within the first 30 days of their DSAR being raised.

'large amount of information'

To be able to request a clarification, the Guidance states that you must hold a large amount of information.  This is subjective and whether you hold a large amount of information about an individual will depend on the size and available resources of your organisation. It is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual, but you are able to obtain and provide the requested information quickly and easily (this is more likely to be the case if you are a large, well-resourced organisation with dedicated resource available for responding to DSARs and the DSAR in question has been specifically worded e.g. in respect of a short time frame and/or certain individual's email inboxes).

'the clarification'

The clock only stops where you seek clarification about the information the requestor has requested. The Guidance states that the clock will not stop if you ask for clarification on any other matter e.g. the format of the response, and to the extent possible you should provide any Article 15(1) information that you are able to, within the original timeframe.

It is important to remember that seeking a clarification is not a way to force the individual to narrow the scope of their request. The individual is still entitled to ask for ‘all the information you hold’ about them. If, after you seek a clarification, the individual responds to either repeat their request, or refuses to provide any additional information, you must still comply with their request by making reasonable searches. The individual may specify multiple criteria and also request ‘everything else you hold about me’. In this latter circumstance you should focus your searches on the specified criteria (e.g. the date range) and then perform a reasonable search for the rest of the information.

Where possible, you should contact the individual in the same format they made the request, so if they have emailed the DSAR you should email them to ask for clarification.

What counts as a manifestly excessive request?

The definition of an 'excessive' request has been clarified in the latest iterance of the Guidance, which now refers to "manifestly excessive" requests. This is important because, within the new definition, you can refuse to respond to a request if it is "manifestly excessive" and this is a more favourable position for data controllers. The Guidance sets out some additional factors that can be taken into consideration when assessing whether or not to respond to the DSAR. A request is manifestly excessive if it is "clearly or obviously unreasonable considering all the circumstances of the request", including:

  • the nature of the requested information;
  • the context of the request, and the relationship between you and the individual;
  • whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
  • your available resources;
  • whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
  • whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).

Although there now appear to be more avenues for businesses to find a request manifestly excessive and justify a refusal to comply with the request, the ICO has included an obligation on businesses to take into account some general considerations before exercising that right of refusal. These are:

  • to consider each request individually and not have a blanket policy;
  • not to presume that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request; and
  • to be aware that the inclusion of the word “manifestly” means there must be an obvious or clear quality to unfoundedness/excessiveness.

A request is not necessarily excessive just because the individual requests a large amount of information. You must ensure that you have strong justifications for why you consider a request to be manifestly unfounded or excessive, which you can clearly demonstrate to the individual and the ICO.

What can be included when charging a fee for excessive, unfounded or repeat requests?

In the previous version of the Guidance, businesses were permitted to charge a reasonable fee for the costs of photocopying, printing and postage for complying with a request. In addition to those costs, you may now take into account the administrative costs of the following:

  • assessing whether or not you are processing the information;
  • locating, retrieving and extracting the information;
  • providing a copy of the information (including any other costs involved in transferring the information to the individual, such as the costs of making the information available remotely on an online platform);
  • communicating the response to the individual, including contacting the individual to inform them that you hold the requested information (even if you are not providing the information);
  • equipment and supplies (e.g. discs, envelopes or USB devices); and, crucially,
  • staff time in dealing with the request.

You must notify the individual in advance if you intend to charge a fee for responding to their DSAR. You should base the costs of staff time on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate, and you should not double charge for any activities that may cross-over or be conducted simultaneously. Unfortunately, the Guidance does not specifically address whether the cost of outsourcing responding to a DSAR to an external firm can be included within the allowable fee. However, the inclusion of this cost would very likely be frowned upon by the ICO and in our view it would not be advisable to pass this cost onto the individual.

Time will (quite literally in the case of the ability to stop the clock for extra clarification) tell whether the three points above make a material difference to DSAR response strategies for organisations. We foresee the 'stopping of the clock', where extra clarification is needed as potentially making the biggest difference to business as, in our experience, manifestly unfounded and excessive DSARs are relatively rare.

 

 

If you would like further information and advice about complying with DSAR requests or would like to discuss how the new Guidance will affect your business specifically please contact Dan Reavill or James Longster.

Key contacts

Read Storme Paul-Christian Profile
Storme Paul-Christian
  • Storme Paul-Christian

  • Trainee
Read Dan Reavill Profile
Dan Reavill
Back To Top