01 December, 2020
On 21 October 2020, the UK Information Commissioner's Office ("ICO") released its updated guidance on the Right of Access under Article 15 of the EU General Data Protection Regulation ("GDPR").
The right of access provides individuals with the right to request and obtain a copy of their personal data, as well as supplementary information, and helps individuals understand how and why organisations are using their data.
The ICO provided a draft of the guidance for consultation in December 2019, and in response to the feedback it received, supplemented the guidance with additional content. The new guidance includes examples designed to demonstrate how the GDPR'S requirements will apply in practice and will be particularly relevant to organisations who receive a large number of access requests including but not limited to consumer facing businesses and/or public authorities. The new guidance can be found here.
The new guidance recognises that individuals can now make subject access requests by a variety of methods, verbally, by traditional letter, email, via the organisation's website or even via social media, for organisations that have a social media platform. Therefore, the new guidance encourages organisations to take a co-ordinated and proactive approach to data request handling, and advocates the following;
Whilst SARs should be responded to in full within one month of receipt of the request/ receipt of any information requested by the organisation to verify the requester's identity, the guidance reminds organisations that this time period can be extended by a further two months where the request is complex or where there have been multiple requests from the same individual. However, the guidance notes re-enforce that an organisation must be able to demonstrate the need for the extension of the time period.
Where clarification is genuinely required to enable an organisation to respond, the new guidance states that the time limit for responding may be paused until clarification is received. The ICO refer to this as "stopping the clock" but expressly warns organisations against using "stopping the clock" as a delaying tactic, emphasising the importance of organisations being transparent and co-operative.
An organisation can refuse to comply with an access request where it is either "manifestly unfounded" or "manifestly excessive". The guidance clarifies that a request may be manifestly unfounded where an individual has no intention to exercise their right of access or where the request is malicious or is being used as a form of harassment and/or disruption for an organisation.
A manifestly excessive request is one which is "clearly or obviously unreasonable", in other words, disproportionate when balanced against the burden or costs involved in handling the request. The fact that an individual requests a large amount of information does not of itself mean that the request is excessive. All circumstances should be considered including the nature of the requested information, the context of the request and the available resources of the organisation.
Further, an organisation can charge a reasonable fee to cover their administrative costs if they think that a request is "manifestly unfounded or excessive". They can also charge a fee for further copies of personal information following the request. Where an organisation does charge a fee, the one-month time limit does not begin until they have received the fee.
This new guidance is readily welcomed, providing clearer direction for organisations, and ensuring that they are fully prepared to comply with and respond to all access requests received within the necessary timeframes.
As the public become more aware of their data rights, Local Authorities in particular are seeing rising numbers of SARs. They are time consuming to manage and detail/process heavy.
Knowing where your organisation's records are stored, financing the cost of secure storage/archiving, ensuring that data retention and destruction policies are being followed and documented and then locating, reviewing, and redacting records requires significant resource.
Our Insurance team is seeing a rise in data claims, whether this be due to inappropriate sharing of data, lost data, or premature destruction of data. Where the data loss can be linked to a financial loss or injury, these data errors can not only lead to fines by the ICO and reputational damage, but also civil claims for damages or human rights breaches.
Our Social Services team regularly handles complex data subject access requests and is on hand to help should assistance ever be required.