ICO publishes guidance to simplify data subject access requests

The Information Commissioner’s Office (ICO) has published updated guidance for organisations on how to deal with data subject access requests (DSARs) under the GDPR.

This guidance takes into account the feedback that the ICO received following a consultation process in December 2019. In particular, the ICO has said that the feedback asked for “additional content and examples, and it was also obvious that there was an appetite for more support and clarification on some aspects of the law that aren’t so clear-cut“.

The three key issues arising from the feedback that have been addressed in the guidance are:

  • Stopping the clock for clarification: As a result of a general criticism that seeking clarification on requests often did not leave enough time to respond, the ICO has now amended its position. It has explained and illustrated with examples the circumstances in which DSARs may be deemed complex and enabled the response period of up to a month from receipt of a DSAR to be paused while a controller waits for the individual to clarify their request.
  • Determining when a DSAR is manifestly excessive: The new guidance confirms this assessment requires the data controller to consider whether the DSAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the DSAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the DSAR.
  • Costs: The ICO has taken on board feedback about the fee for staff time involved in responding to manifestly unfounded or excessive requests, and has updated its guidance on what organisations can take into account when charging an administration fee. The guidance states that the data controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.

The guidance is aimed at data protection practitioners and organisations, who are likely to welcome the enhanced content and detail as it is intended to ease the complexity and reduce the response times associated with DSARs. It is certainly useful for organisations across the board, especially during the COVID-19 pandemic, as it will give them more insight into how to deal with DSARs and access the information they need quickly and easily.

The following is a link to the guidance – Right of Access Guidance

Subscribe and stay updated
Receive our latest blog posts by email.
Victoria Middleditch

About Victoria Middleditch

Victoria is an employment lawyer in Dentons' London office. She provides support to businesses on the full range of employment law and human resources issues. Her experience includes advising on commercial transactions and re-organizations (including complex TUPE matters), employment disputes (both tribunal and civil court litigation), team moves, employment contracts and policies, bonus and commission schemes, and general day-to-day human resources issues.

Full bio