UK ICO Publishes New Guidance on the Right Of Access

Together we are Forbes


01 December, 2020

Kella Bowers
Partner and Head Social Care

On 21 October 2020, the UK Information Commissioner's Office ("ICO") released its updated guidance on the Right of Access under Article 15 of the EU General Data Protection Regulation ("GDPR").

The Right of Access

The right of access provides individuals with the right to request and obtain a copy of their personal data, as well as supplementary information, and helps individuals understand how and why organisations are using their data.

The ICO provided a draft of the guidance for consultation in December 2019, and in response to the feedback it received, supplemented the guidance with additional content. The new guidance includes examples designed to demonstrate how the GDPR'S requirements will apply in practice and will be particularly relevant to organisations who receive a large number of access requests including but not limited to consumer facing businesses and/or public authorities. The new guidance can be found here.

Practical advice for managing access requests

The new guidance recognises that individuals can now make subject access requests by a variety of methods, verbally, by traditional letter, email, via the organisation's website or even via social media, for organisations that have a social media platform. Therefore, the new guidance encourages organisations to take a co-ordinated and proactive approach to data request handling, and advocates the following;

  • providing staff with training to enable them to recognise incoming requests;
  • preparing a standard form for individuals to complete when they would like to make an access request;
  • allocating the responsibility of incoming access requests to a certain team member/members; and
  • developing policies and procedures on the right of access which are readily available to staff.
  • using Information Asset Registers which record where and how personal data is stored. The organisation's records of processing and/or Data Retention policy could be used to form such register.
  • Using Access Request Logs as a method of maintaining a log of current access requests and updating it to keep track of progress. This is particularly important as the Regulator could ask an organization to illustrate how requests are being handled and the Access Request log would evidence this
  • Keeping a Checklist for staff to use as an aide-memoire to help ensure that a consistent approach is taken to responding to access requests.

Extending the deadline to respond

Whilst SARs should be responded to in full within one month of receipt of the request/ receipt of any information requested by the organisation to verify the requester's identity, the guidance reminds organisations that this time period can be extended by a further two months where the request is complex or where there have been multiple requests from the same individual. However, the guidance notes re-enforce that an organisation must be able to demonstrate the need for the extension of the time period.

Where clarification is genuinely required to enable an organisation to respond, the new guidance states that the time limit for responding may be paused until clarification is received. The ICO refer to this as "stopping the clock" but expressly warns organisations against using "stopping the clock" as a delaying tactic, emphasising the importance of organisations being transparent and co-operative.

"Manifestly unfounded" and "Manifestly excessive"

An organisation can refuse to comply with an access request where it is either "manifestly unfounded" or "manifestly excessive". The guidance clarifies that a request may be manifestly unfounded where an individual has no intention to exercise their right of access or where the request is malicious or is being used as a form of harassment and/or disruption for an organisation.

A manifestly excessive request is one which is "clearly or obviously unreasonable", in other words, disproportionate when balanced against the burden or costs involved in handling the request. The fact that an individual requests a large amount of information does not of itself mean that the request is excessive. All circumstances should be considered including the nature of the requested information, the context of the request and the available resources of the organisation.

Further, an organisation can charge a reasonable fee to cover their administrative costs if they think that a request is "manifestly unfounded or excessive". They can also charge a fee for further copies of personal information following the request. Where an organisation does charge a fee, the one-month time limit does not begin until they have received the fee.

Forbes Comment

This new guidance is readily welcomed, providing clearer direction for organisations, and ensuring that they are fully prepared to comply with and respond to all access requests received within the necessary timeframes.

As the public become more aware of their data rights, Local Authorities in particular are seeing rising numbers of SARs. They are time consuming to manage and detail/process heavy.

Knowing where your organisation's records are stored, financing the cost of secure storage/archiving, ensuring that data retention and destruction policies are being followed and documented and then locating, reviewing, and redacting records requires significant resource.

Our Insurance team is seeing a rise in data claims, whether this be due to inappropriate sharing of data, lost data, or premature destruction of data. Where the data loss can be linked to a financial loss or injury, these data errors can not only lead to fines by the ICO and reputational damage, but also civil claims for damages or human rights breaches.

Our Social Services team regularly handles complex data subject access requests and is on hand to help should assistance ever be required.

For more information contact Kella Bowers in our Insurance department via email or phone on 01254 222437. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Insurance department here

Inconsistencies in "unimpressive" claimant's evidence - claim…

Assault by Service User does not lead to liability finding

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: