ICO Guidance on Dealing with Data Subject Access Requests
Alan Kitto
Last week the Information Commissioner’s Office (ICO) has published some long-awaited direction for employers faced with a data subject access request (SAR). This guidance does not change the law as it currently stands, but instead offers some clarification on some of the more ambiguous points.
The guidance covers three main areas:
What is a ‘manifestly excessive’ data subject access request?
The guidance confirms that this is always a balancing act and the employer must determine whether the SAR is 'clearly or obviously unreasonable'.
This involves assessing whether the response required is 'proportionate when balanced with the burden or costs involved'. Employers should consider all the circumstances, including (but not limited to): the nature of the information, the context of the request, whether not complying with the SAR could cause substantive damage to the employee, your available resources etc.
The guidance deals specially with what may amount to a ‘manifestly unfounded’ or a ‘manifestly excessive’ request here.
What is a ‘reasonable fee’ for complying with a manifestly excessive or unfounded SAR?
A ‘reasonable fee’ can include: the cost of staff time, photocopying, printing, postage, envelopes, USB sticks etc. Employers can take into account the administrative cost related to assessing the information, locating it, copying it and communicating with the employee.
You can see the complete guidance here.
Stopping the clock when clarification of the SAR is required.
An employer can potentially ‘stop the clock’ on the 30 day time limit for compliance with an SAR, if clarification is genuinely required and if the organisation processes a large volume of information about that employee.
The ICO has provided several useful examples, which you can view here.