More and more people are waking up to the power of their personal data and are exercising their rights. That’s why, as an organisation, you must know how to deal with a subject access request (SAR) effectively and efficiently.
Back in December 2019, the ICO produced some additional guidance that they sent out for consultation. They received over 300 responses from organisations of all sizes and sectors.
The response to the consultation showed how seriously organisations take their data protection obligations – and so the ICO has responded by providing clarity on the three key points raised.
1. Stopping the clock for clarification
One issue which they received a lot of feedback on was that seeking clarification on requests often did not leave enough time for organisations to respond. As a result, in certain circumstances, the ICO has confirmed that the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
2. Explanation of a manifestly excessive request
To combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance to help and broadened its definition.
An organisation needs to consider whether the request is clearly or obviously unreasonable. This should be based on whether it is proportionate when balanced with the burden or costs involved in dealing with the request.
You should also consider amongst other things: your available resources, whether the request largely repeats previous requests, and a reasonable interval has not elapsed, or whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).
3. What can be included when charging a fee for excessive, unfounded or repeat requests
Feedback has been taken on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up subject access requests. The ICO has now updated what organisations can take into account when charging an admin fee.
A reasonable fee may include the costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual. These could consist of the costs of making the information available remotely on an online platform, equipment and supplies (e.g. discs, envelopes or USB devices) and staff time.
You should ensure that you charge fees in a reasonable, proportionate and consistent manner. Therefore, it is good practice to establish an unbiased set of criteria for charging fees which explains the circumstances in which you charge a fee.
The ICO has also made many more changes and added additional content to the guidance that they previously published. This should provide you with more insight into how to deal with SARs and access the information needed quickly and easily.
Updating your organisation’s privacy notice with a link to the ICO guidance or a brief explanation of the changes would be a good practice.
It’s also worth bearing in mind that the right of access is a basis of data protection law and good subject access request compliance inspires trust and confidence.