The ICO has today announced that it has published its updated its 'Right of Access Detailed Guidance'. A copy of the guidance can be found here - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/
This guidance has been updated to reflect the changes introduced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 as the previous guidance still referred to the provisions under the Data Protection Act 1998 - although much of that guidance still remains relevant today.
The ICO initially published the guidance in draft form back in December 2019 and sought views from organisations as part of its consultation process. That consultation has now ended and the final guidance has been published.
What is different?
Further clarification has been given to organisations in the following areas:
- Seeking clarification from the requester - The guidance has been updated to confirm that the time limit for responding to a subject access request can be paused in certain circumstances to allow the organisation responding to the request to seek clarification from the requester as to what information they are seeking. The guidance states that where an organisation holds a large amount of information about the requester and it is not clear what information the requester is seeking, then the organisation can ask for clarification and the 1 month time period for responding will be paused until the requester responds.
- Manifestly unfounded or excessive - The guidance provides further examples and guidance to assist organisations in understanding when a request may be classified as manifestly unfounded or excessive. The guidance states that a request may be manifestly unfounded if the individual clearly has no intention to exercise their right of access or the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.
- Conducting a reasonable search - Those with a keen eye for detail may have noticed that references to searches 'involving a disproportionate effort' have been removed from this version of the guidance and replaced with references to refusing requests which are manifestly unfounded or excessive. There is, however, reference within the guidance to organisations' obligation to conduct a reasonable search for the information that has been requested. The guidance states that "You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information." This should provide some comfort to organisations who handle large amounts of personal information about a requester e.g. if the request has been made by an employee who has a long service history.
What action should we take?
Many of the changes to the guidance are nuanced and will not necessarily require any changes to be made to your existing subject access request procedure. However, your procedure should be reviewed to determine whether any changes need to be made to your existing procedure.
For more information contact Bethany Paliga in our Governance, Procurement & Information department
via email or phone on 01254 222347.
Alternatively send any question through to Forbes Solicitors via our online Contact Form.