The Information Commissioner’s Office (ICO) has published draft guidance on handling data subject access requests under GDPR. You can find the guidance at https://ico.org.uk/media/about-the-ico/consultations/2616442/right-of-access-draft-consultation-20191204.pdf.
The guidance will replace that published in April 2018. It covers topics such as:
- how to recognise a subject access request;
- finding and retrieving the relevant information;
- how to supply the information;
- when a request can be refused;
- claiming exemptions; and
- dealing with information about third parties.
Key concerns for organisations
Unfortunately, we have not found that the guidance provides any particularly useful information when it comes to dealing with requests that you may consider excessive. We know our clients are concerned about the size of requests made. The guidance merely points out cases where an organisation should not consider a request excessive. It does not give any tangible assistance to organisations to enable them to push back on unreasonable requests.
However, the guidance does helpfully deal with the ability to extend the time to respond. An organisation can extend the response time to three months where a request is complex or one of many requests from the individual. It gives examples of factors that may, in some circumstances, add to the complexity of a request. For example, technical difficulties in retrieving the information, applying an exemption to large volumes of sensitive information, or applying redactions.
The guidance does not add much in the way of a steer around charging a fee. It confirms an organisation can charge a fee for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if further copies are required. The fee must be reasonable, and cannot include the time taken to deal with the request.
The guidance will sit alongside the ICO’s guide which explains the general data protection regime and explains the data protection principles, rights and obligations. You can find the guide at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.
The consultation aims to gather the views of stakeholders and the public as to where further clarity is needed, based on experiences of dealing with subject access requests. The consultation is open until 17:00 on 12 February 2020. To feed into the consultation, please visit https://wh.snapsurveys.com/s.asp?k=157493897966.