ICO publishes guidance on how to respond to a DSAR

The ICO (Information Commissioner’s Office) has published guidelines that clarify organisations’ requirements when data subjects exercise their right to access to their personal data.

It follows a consultation period in which the data protection body observed that there was still widespread uncertainty about the DSAR (data subject access request) process.

Although individuals had the right to access long before the GDPR (General Data Protection Regulation) and its UK equivalent came into effect, the rules surrounding requests have become much stricter under the Regulation.

Unless certain exceptions are met, organisations that fail to respond to a DSAR within one month face substantial penalties.

The ICO’s guidance is designed to help organisations understand their requirements, providing further details on the following issues.

  • Stopping the clock for clarification

Many organisations said they often needed to clarify an individual’s request, a process that regularly prevented them from completing the request within the one-month deadline.

The ICO has addressed this, noting that organisations can ‘stop the clock’ for requests that require further information.

Only once the organisation receives the necessary details does the clock start again.

Consequently, organisations have no obligation to complete the DSAR should an individual fail to clarify their request.

The ICO urges organisations to be careful, however. They should only need to seek clarification if the request is complex or involves a large amount of personal data.

  • Manifestly unfounded and excessive requests

The GDPR states that organisations can reject a DSAR if the request is manifestly unfounded or excessive.

Unfortunately, many organisations are unsure when those exceptions apply, so the ICO has broadened its definition of the terms.

It states that a request may be manifestly unfounded when the individual has no intention of exercising their right of access (such as if they offer to withdraw the DSAR in return for some sort of benefit), or when the request is “malicious in intent and used to harass the organisation with no real purpose other than to cause disruption”.

The ICO adds that, although requests containing aggressive or abusive language are not acceptable, the use of such language doesn’t necessarily make a request manifestly unfounded.

Meanwhile, to determine whether a DSAR is excessive, organisations must consider whether the effort to complete it is proportionate to the burden or costs of providing the information.

Organisations should account for several issues, including the nature of the requested information, the context of the request, their relationship with the individual and whether a refusal to provide the information (or to acknowledge that they have it) would cause substantive damage to the individual.

Organisations should also consider their available resources, whether the DSAR repeats previous requests made within a short period and whether it overlaps with other requests.

It’s therefore not as simple as saying that any request involving a large amount of information is excessive.

If organisations are concerned about the amount of data they need to collate, they can ask the individual for more information to help locate it. When doing this, the organisation can ‘stop the clock’ on the response deadline, as explained above.

  • What can be included when charging a fee to complete DSARs

Unlike the GDPR’s predecessor, the DPA (Data Protection Act) 1998, organisations can only charge a fee to complete a DSAR if the request is manifestly unfounded or excessive and they choose not to reject it outright.

However, organisations have been given little guidance on how much they should charge or what costs should be considered.

As a result, they are concerned they are overcharging individuals, which could lead to complaints.

The ICO has therefore stated that organisations should determine their fee based on the time and effort it takes to verify the individual, locate and extract the information and provide a copy of their personal data.

Organisations should also factor in any costs related to communicating with the individual, including acknowledging the DSAR and sending the necessary information.

They should look in particular at the costs involved in transferring the information to the individual (such as photocopying or printing records), the equipment that will be used (discs, envelopes, USB devices) and the man hours it takes to complete the process.

Looking for more advice on DSARs?

Although the ICO has clarified some of the technical issues surrounding DSARs, many organisations are still unsure about the practicalities surrounding the right of access.

What should the first step of the process be? Should there be a system to determine if a request is manifestly unfounded or excessive, or whether further clarification is needed?

If you need advice or support, GRCI Law is here to help.

Our DSAR as a Service provides a team of experienced lawyers, barristers and cyber security experts who will manage the response process on your behalf.

You can find out more this service by downloading our brochure, which explains how our subscription service supports you in fulfilling your right of access requirements.

This includes verifying the validity of the request, confirming the individual’s identity, liaising with your organisation to produce the necessary information and documenting the necessary facts related to the request.

Download our brochure to find out more.