Business

New Sar Guidance Published By The Ico

Issue 64

Charlotte McBride, Associate Solicitor at Collingwood Legal looks at three 'must know' points that come out of the Information Commissioner's latest guidance on handling Subject Access Requests

Stopping the clock

Businesses usually have one month to respond to a

Subject Access Request (SAR). However, there can be

times when clarification is needed before a response

can be provided. For example, if someone requests

“all the information you hold about me.”

Where an organisation seeks clarification from the

individual this ‘stops the clock’ on the time limit to

respond to the SAR and this only resumes once the

clarification is received. The ICO’s updated guidance

states that clarification should be requested

“promptly” so that the organisation can focus on

searching for the information the individual wants at

as early a stage as possible.

There are two important points businesses should

note about this mechanism:

Any extension to the time limit is counted in

days, not hours. Therefore, if clarification is

requested and received on the same day, the

clock will not stop.

The clock is only stopped when clarification is

sought about the information requested, rather

than something like the format of the response.

Businesses should be careful not to assume

that just because they have contacted the data

subject that the time limit to respond to the SAR

will automatically be paused.

When is a SAR “manifestly excessive”?

An organisation may refuse to comply with a SAR

(either wholly or partially) where the request is

“manifestly excessive”. This is one type of exemption

to complying with a SAR but any reliance on it will

need to be justified to the individual making the

request in terms of how or why their request is

considered to fall in that category.

The ICO’s latest guidance provides some detail about

what “manifestly excessive” means. In addition

to considering whether the request is clearly or

obviously unreasonable, the guidance suggests the

following points should also be considered:

the nature of the requested information;

the context of the request, and the relationship

between the organisation and the individual;

whether a refusal to provide the information or

even acknowledge if the organisation holds it

may cause substantive damage to the individual;

the organisation’s available resources;

whether the request largely repeats previous

requests and a reasonable interval has not yet

elapsed; or

whether it overlaps with other requests

(although if it relates to a completely separate

set of information it is unlikely to be excessive).

Importantly, the guidance highlights that a SAR

is not excessive simply because a large amount

of information is requested. Any reliance on this

exemption will need to be justified to the individual

making the request in terms of how or why their

request is considered to fall in that category, so

careful consideration will be needed.

What is a ‘reasonable fee’ to charge?

Organisations can no longer automatically charge

a fee to comply with a SAR although a “reasonable

fee” may be charged for the administrative costs

of complying with a SAR if it is either manifestly

unfounded or excessive or, if an individual requests

further copies of their data following a request.

A standard £10 fee used to apply but when an

organisation is determining a “reasonable fee” to

charge under the current regime, some of these

factors could be considered:

assessing whether or not the organisation is

processing the information;

locating, retrieving and extracting the

information;

providing a copy of the information; and

communicating the response to the individual.

The ICO’s guidance suggests that organisations

should ensure that they charge fees in a reasonable,

proportionate and consistent manner. It would

be good practice for organisations to establish an

unbiased set of criteria, available on request, for

charging fees which explains:

the circumstances in which it would charge a fee;

its standard charges (including a costs breakdown

where possible e.g. the costs per A4 photocopy);

and

how it calculates the fee – explaining the costs

taken into account, including the costs of any

equipment or staff time.

Given the various factors to be considered and

the transparency required around those charging

arrangements, organisations may prefer to only

charge a fee when they are faced with the most

excessive of SARs to avoid falling foul of the ICO’s

prescriptive guidance.

Clarification rather than change

Many of you will be breathing a sigh of relief that

the latest guidance does not change the existing

rules you have been working to, but the guidance

does offer some helpful clarification and practical

guidance on some key points you’re likely to come

across when handling SARs and is worth familiarising

yourself with.

Sign-up to our newsletter

  • This field is for validation purposes and should be left unchanged.