Charlotte McBride, Associate Solicitor at Collingwood Legal looks at three 'must know' points that come out of the Information Commissioner's latest guidance on handling Subject Access Requests
Stopping the clock
Businesses usually have one month to respond to a
Subject Access Request (SAR). However, there can be
times when clarification is needed before a response
can be provided. For example, if someone requests
“all the information you hold about me.”
Where an organisation seeks clarification from the
individual this ‘stops the clock’ on the time limit to
respond to the SAR and this only resumes once the
clarification is received. The ICO’s updated guidance
states that clarification should be requested
“promptly” so that the organisation can focus on
searching for the information the individual wants at
as early a stage as possible.
There are two important points businesses should
note about this mechanism:
Any extension to the time limit is counted in
days, not hours. Therefore, if clarification is
requested and received on the same day, the
clock will not stop.
The clock is only stopped when clarification is
sought about the information requested, rather
than something like the format of the response.
Businesses should be careful not to assume
that just because they have contacted the data
subject that the time limit to respond to the SAR
will automatically be paused.
When is a SAR “manifestly excessive”?
An organisation may refuse to comply with a SAR
(either wholly or partially) where the request is
“manifestly excessive”. This is one type of exemption
to complying with a SAR but any reliance on it will
need to be justified to the individual making the
request in terms of how or why their request is
considered to fall in that category.
The ICO’s latest guidance provides some detail about
what “manifestly excessive” means. In addition
to considering whether the request is clearly or
obviously unreasonable, the guidance suggests the
following points should also be considered:
the nature of the requested information;
the context of the request, and the relationship
between the organisation and the individual;
whether a refusal to provide the information or
even acknowledge if the organisation holds it
may cause substantive damage to the individual;
the organisation’s available resources;
whether the request largely repeats previous
requests and a reasonable interval has not yet
elapsed; or
whether it overlaps with other requests
(although if it relates to a completely separate
set of information it is unlikely to be excessive).
Importantly, the guidance highlights that a SAR
is not excessive simply because a large amount
of information is requested. Any reliance on this
exemption will need to be justified to the individual
making the request in terms of how or why their
request is considered to fall in that category, so
careful consideration will be needed.
What is a ‘reasonable fee’ to charge?
Organisations can no longer automatically charge
a fee to comply with a SAR although a “reasonable
fee” may be charged for the administrative costs
of complying with a SAR if it is either manifestly
unfounded or excessive or, if an individual requests
further copies of their data following a request.
A standard £10 fee used to apply but when an
organisation is determining a “reasonable fee” to
charge under the current regime, some of these
factors could be considered:
assessing whether or not the organisation is
processing the information;
locating, retrieving and extracting the
information;
providing a copy of the information; and
communicating the response to the individual.
The ICO’s guidance suggests that organisations
should ensure that they charge fees in a reasonable,
proportionate and consistent manner. It would
be good practice for organisations to establish an
unbiased set of criteria, available on request, for
charging fees which explains:
the circumstances in which it would charge a fee;
its standard charges (including a costs breakdown
where possible e.g. the costs per A4 photocopy);
and
how it calculates the fee – explaining the costs
taken into account, including the costs of any
equipment or staff time.
Given the various factors to be considered and
the transparency required around those charging
arrangements, organisations may prefer to only
charge a fee when they are faced with the most
excessive of SARs to avoid falling foul of the ICO’s
prescriptive guidance.
Clarification rather than change
Many of you will be breathing a sigh of relief that
the latest guidance does not change the existing
rules you have been working to, but the guidance
does offer some helpful clarification and practical
guidance on some key points you’re likely to come
across when handling SARs and is worth familiarising
yourself with.