The Information Commissioner’s Office (ICO) has revised its guidance regarding timescales for compliance with Data Subject Access Requests (DSARs) where the data controller requires further information from the data subject.
The new guidance will certainly not be welcomed by employers, as now the clock starts ticking from receipt of the DSAR, or (if later) the receipt of proof of identification. It is not paused if an employer asks the data subject for more information (timeframes, keywords, individuals involved etc.) in order to understand the nature and scope of their request.
This change applies to both the one- and three-month time periods for compliance (the latter applying for more complex requests). The data subject must also be made aware of an extension within the first month after their request.
While employers can, and in many situations still should, ask the data subject for further information to clarify what information they are seeking, this change will inevitably lead to a reduced timeframe in which businesses must collate their responses.
If you require any further guidance in dealing with DSAR requests, please contact a member of the Dentons team.