The Information Commissioner’s Office (ICO) has revised its guidance regarding timescales for compliance with Data Subject Access Requests (DSARs) where the data controller requires further information from the data subject.

The new guidance will certainly not be welcomed by employers, as now the clock starts ticking from receipt of the DSAR, or (if later) the receipt of proof of identification. It is not paused if an employer asks the data subject for more information (timeframes, keywords, individuals involved etc.) in order to understand the nature and scope of their request.

This change applies to both the one- and three-month time periods for compliance (the latter applying for more complex requests). The data subject must also be made aware of an extension within the first month after their request.

While employers can, and in many situations still should, ask the data subject for further information to clarify what information they are seeking, this change will inevitably lead to a reduced timeframe in which businesses must collate their responses.

If you require any further guidance in dealing with DSAR requests, please contact a member of the Dentons team.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
,
Tom Fancett

About Tom Fancett

Tom has experience acting for both employers and employees, advising on the full spectrum of contentious and non-contentious matters. His experience includes advising on large commercial transactions, including redundancy and TUPE issues; undertaking buy side and sell side due diligence exercises into the employment aspects for multiple commercial transactions; coordinating multijurisdictional projects; defending Employment Tribunal claims in relation to unfair dismissal, disability and sex discrimination and whistleblowing; advising on day-to-day HR and disciplinary issues; drafting and negotiating settlement and service agreements; and reviewing company handbooks and template employment contracts.

Full bio

You might also like...