A change in approach to subject access? ICO Publishes Updated DSAR Guidance

Summary

• The ICO (the UK privacy regulator) has updated its guidance on data subject access rights, and the revised guidance appears to be aimed at giving organisations practical advice on managing and responding to subject access requests by including further detail and examples.
• Although the revised guidance has not changed dramatically, it is fair to say that there are a few elements of the revised guidance which offer a glimmer of hope for organisations currently struggling to effectively manage the burden of DSAR compliance, and increasingly frustrated regarding the use of DSARs as a ‘fishing expedition’ for disgruntled employees.
• In certain circumstances, the guidance provides that organisations can now stop the clock when clarifying access requests with data subjects.
• Additional guidance is now also available on what constitutes a ‘manifestly excessive’ request (i.e. when an organisation can refuse to comply with a subject access request).
• The ICO has also widened the circumstances in which organisations are permitted to charge a reasonable fee for DSAR responses.
• Interestingly, the guidance contains a new section on ‘enforced’ subject access requests (sometimes seen in the employment context as a tool to carry out background checks), and concludes that in some circumstances these can result in a criminal offence being committed.

Background                                        

As we detailed in a previous blog post, the ICO released draft guidance back in December 2019 on the right of individuals under the GDPR to access their data, alongside a consultation which closed in February 2020. Following feedback from the consultation, the ICO has now updated and published its final guidance.

Updated Guidance

Stopping the Clock: The ICO has expanded its guidance in relation to the clarification of access requests. Whilst the draft guidance gave organisations the opportunity to clarify (but not narrow) access requests, it specifically set out that the time limit to respond to access requests (i.e. one month) was not paused whilst they waited for a response from data subjects. As a result, organisations were advised under the draft guidance to begin searching for information as soon as possible. In contrast to this, the updated guidance now sets out that the time limit for responding to requests is paused until organisations receive clarification from data subjects (which the guidance refers to as ‘stopping the clock’).

Whilst this change in guidance will likely be welcomed by organisations keen to avoid a situation where they are still bound by the (already tight) statutory deadline whilst waiting for responses to their clarification requests (which may never be provided), there are still conditions (some of which remain unchanged from the draft guidance) attached to its applicability. Therefore, despite this change in guidance, organisations should be aware that:

• the clock is stopped in relation to the obligation to provide information only to the extent that they cannot reasonably provide such information without the clarification (i.e. where there are elements of the access request which do not require clarification, these should still be dealt with within the one month time limit);
• the previous requirement that they process a large amount of information about the requester before they are able to clarify the request remains; and
• even if they process a large amount of information about the requester, they should not seek clarification unless it is genuinely required in order to respond to the request.

In our view, the ability to stop the clock is a very welcome change in guidance when dealing with access requests relating to a large amount of information, and we consider that employers will find this particularly helpful when dealing with employee access requests. However, whilst it removes the uncertainty during the period in which organisations wait for responses to their clarification requests, organisations should continue to clarify requests only where they are genuinely required and remember that data subjects are still entitled to ask for all of the information held about them when responding, in which case, the clock restarts and the original scope of the access request remains. Organisations may therefore choose to continue to prepare for the access request even whilst the clock is stopped to better deal with it when the clock restarts (whilst noting that the clock may never restart if no responses are provided).

Manifestly Excessive Requests: In the updated guidance, organisations can refuse to comply with a request if it is ‘manifestly unfounded’ or ‘manifestly excessive’.

Whilst the meaning of a ‘manifestly unfounded’ request has remained largely the same, the ICO has now set out more detail on the meaning of a ‘manifestly excessive’ request. Here, organisations need to consider whether the request is ‘clearly or obviously unreasonable’, and should base this on whether the request is ‘proportionate when balanced with the burden or costs involved in dealing with the request’. According to the updated guidance, organisations should take into account all the circumstances of a request, including:

• the nature of the information requested;
• the context of the request, and the relationship with the requester;
• whether a refusal to comply with the access request may cause substantive damage to the requester;
• their available resources;
• whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
• whether the request overlaps with other requests.

Despite this update in guidance, organisations should be aware that:

• a request is not necessarily excessive just because the data subject (i) requests a large amount of information; or (ii) has previously submitted a manifestly unfounded or excessive request (this remains unchanged from the draft guidance); and
• they should continue to consider each request individually and ensure that they have strong justifications for why they consider a request to be manifestly excessive.

Whilst there is always a compliance risk in refusing to respond to access requests (even where there are reasonable justifications for doing so), this additional detail from the ICO will be really useful to organisations in providing them with a more concrete basis upon which to assess whether requests are manifestly excessive, especially the guidance around whether a request is ‘proportionate when balanced with the burden or costs involved in dealing with the request‘ given the costs often associated with dealing with some access requests. Although it remains to be seen how it will work in practice, we suspect that this expanded guidance may provide organisations with the possibility of a different way of dealing with genuinely unreasonable access requests.

Charging a fee when responding to an excessive subject access request: The final key issue which the ICO highlights is the “Can we charge a fee?” section. In summary, the ICO have broadened the reasons for which an organisation can seek to charge a data subject for responding to their request.  The revised guidance states that when calculating a fee, organisations can take into account the administrative costs of:

• assessing whether or not the organisation is processing the data subject’s personal data;
• locating, retrieving and extracting the information;
• providing a copy of the information; and
• communicating the response to the data subject.

The guidance goes on to state that a “reasonable fee” may include the costs of:

• photocopying, printing or posting (physically or electronically via an online platform);
• equipment and suppliers; and
• staff time (based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate).

In our view, this new stance from the ICO does allow companies to start charging for responding to excessive subject access requests in line with the criteria above.  However, it is important to note that the ICO’s position that organisations cannot ordinarily charge for a subject access request has not changed. The above principles only relate to charging for excessive or manifestly unfounded subject access requests, or if the data subject requests further copies of their data. Whilst this revised guidance does not alter the position with respect to day-to-day subject access requests, there does appear to be recognition from the ICO that organisations should not be obliged to bear the costs of unreasonable subject access requests.  However, we note that whilst the above guidance on what a “reasonable fee” might be is useful, it may be challenging for organisations to quantify the costs of what a reasonable hourly rate for staff time might be and that further, practical detail in this limb of the guidance would have been helpful.

Finally, the ICO recommends that organisations establish an “unbiased set of criteria for charging fees” which sets out when you charge a fee, the standard charges (including a costs breakdown where possible), and how the fee is calculated.  Interestingly, the ICO don’t require organisations to publish these criteria – only to make them available to data subjects on request.

Enforced subject access requests: Finally, we note that the final guidance contains a new section titled “Can we force an individual to make a SAR?”, which perhaps unsurprisingly concludes that an enforced SAR is not allowable, and in some cases is a criminal offence.  The ICO defines an enforced SAR as “when someone requires an individual to make a SAR to gain access to certain information about them e.g. their convictions, cautions or health records).  They then use this information, for example as supporting evidence regarding a job application”.

It is a criminal offence to require a person to make and provide the results of a subject access request including where such requests is in connection with an employee’s recruitment or an employee’s continued recruitment, where the subject access request seeks to elicit: (i) a health record; or (ii) information relating to a conviction or caution.

We assume that this limb of the guidance has been added as a result of consultation responses, and considering the principles behind the GDPR, it is logical that an organisation/individual cannot force another individual to make a subject access request – particularly in an employment context.  Any organisation who had been considering this as an avenue to uncover any potential criminal history/health data in relation to their employees should note the penalties carefully, and should follow the established routes should they wish to receive such data.

Overall, both the changes outlined above as well as the broader amendments appear to be aimed at making the guidance more practical and useful.  In this respect we note the inclusion of a number of additional examples which have been included, as well as new sections such as “How to provide information securely” which appear to be aimed at providing everyday, hands-on advice to organisations on how to deal with and respond to subject access requests.