• news-banner

    Expert Insights

ICO publishes guidance on responding to subject access requests

Responding to data subject access requests (DSARs) can be time-consuming, complex and in some cases difficult to complete within the one month timescale required under the Data Protection Act 2018 (DPA). The Information Commissioner’s Office (ICO) has recently published detailed Guidance on the right of access (the Guidance) which aims to provide a deeper understanding of how to apply the right in practice for those with specific data protection responsibilities. Helpfully, it takes the form of answers to commonly asked questions and includes useful illustrative examples.   

In an employment context, DSARs are often used by employees or former employees as a way of obtaining copies of documents in advance of making a claim and have the effect of circumventing the tribunal disclosure rules. Although the right of access is ostensibly to help individuals understand how and why an organisation is using their data and to check it is being done lawfully, the fact that an employee’s collateral purpose for making a DSAR is often to use it as a “fishing expedition” to assist with litigation does not make the request invalid. The Court of Appeal in Dawson-Damer and ors v Taylor Wessing LLP considered that having such a collateral purpose did not amount to an abuse of process. Whilst the court may take a requester’s motive into account (in exercising the court’s discretion), the organisation in receipt of the request may not (subject to the rules on manifestly unfounded requests – see below). That decision was not good news for employers but this Guidance to some extent recognises the potential burden placed on those at the receiving end of a DSAR and appears to be more business-friendly. We highlight below some areas of particular interest. 

Extending time for a response

The time to respond to a DSAR (a month from receipt) can be extended by a further two months if the request is complex or the individual has sent in a number of requests. The Guidance looks at where a DSAR may be considered complex. Much will depend on the size and resources and individual circumstances of the organisation and it will need to demonstrate why the request is complex. The examples given include technical difficulties in retrieving the information; where specialist work is needed to obtain the information or communicate it in an intelligible form; where it is necessary to clarify potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party or where specialist legal advice is needed but not where this is routinely sought. A large volume of information does not automatically make a request complex.

“Stopping the clock to ask for clarification”

The Guidance has given more concrete guidance around the concept of pausing the time limit for responding where clarification is sought by a respondent. This only applies where the employer processes a large amount of information about an individual and clarification is genuinely needed to identify what information or processing activities the request relates to in order to respond. Clarification should not be sought on a blanket basis, it should be sought promptly and there is no requirement to seek it. The organisation may choose to perform a reasonable search instead. 

The time limit is extended by the number of days that the clock was stopped until the individual clarifies their request. If the individual repeats their request or refuses to provide additional information, the organisation must still comply with the request by making reasonable searches. If the individual doesn’t reply, the Guidance states that a month is generally a reasonable time to wait before closing the request but the organisation must adopt a reasoned and proportionate approach. 

Refusing to comply with a request

A request maybe refused where a request is “manifestly unfounded” or “manifestly excessive” and the Guidance gives examples of what these terms mean. It states that a request may be manifestly unfounded where the individual has no intention to exercise their right of access for example, they make the request and then offer to withdraw it in return for some form of benefit from the organisation or where the request is malicious in intent and is being used to harass an organisation and cause disruption, for example, they explicitly state that they intend to cause disruption, or make unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice. It must be clear and obvious and if an individual genuinely wants to exercise their rights, it is unlikely the request could be regarded as manifestly unfounded. 

A request is manifestly excessive where it is clearly or obviously unreasonable based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. All the circumstances must be taken into account including the nature of the requested information, the context, whether a refusal may cause substantive damage to the individual, the organisation’s available resources, whether he/she repeats previous requests and whether it overlaps with other requests. It should be noted that requesting a large amount of information does not of itself necessarily make the request manifestly excessive.

Any organisation refusing to comply with a request should ensure that they can clearly demonstrate to the ICO their grounds for doing so. 

Charging a fee

In most cases an organisation cannot charge a fee for complying with a DSAR. However, it can charge a “reasonable fee” for the administrative costs of complying with a request if it is manifestly excessive or manifestly unfounded or an individual requests further copies of their data following a request.  

The Guidance states that a reasonable fee may include the costs of the employer’s staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of equipment (e.g. discs, envelopes and USB devices).

The DPA provides for the introduction of regulations to specify limits on fees that may be charged. However, these have yet to be enacted and therefore it is the data controller’s responsibility to determine the reasonable rate and to ensure that fees are charged in a reasonable, proportionate and consistent manner. The Guidance states that it is good practice to establish an unbiased set of criteria available on request explaining the circumstances in which a fee is charged, standard charges (e.g. for photocopying per A4 photocopy) and how it is calculated. If the individual complains to the ICO the organisation must be able to justify the fee. There is no need to comply with the DSAR until the fee has been received but employers should not delay asking for a fee as a way of extending time. 

In most cases charging a fee will not be permissible and it seems unlikely that this practice will become more common. However, there will be times when a respondent can justifiably ask for a fee to be paid by a data subject provided it can meet the high bar set by the interpretation of ”manifestly excessive” or “manifestly unfounded”. We certainly expect some employers to advance these arguments when faced with DSARs that they consider to be grossly unfair, tactical and/or disproportionate.

For more information, please contact Nick Hurley, or your usual Charles Russell Speechlys contact.

Our thinking

  • Some High Street shops are boarded up – but not for much longer?

    Samuel Lear

    Insights

  • A new prospectus regime and other developments impacting UK Equity Capital Markets in 2025

    Victoria Younghusband

    Insights

  • Cryptoasset Staking: The Collective Investment Scheme Crypto Exemption

    Racheal Muldoon

    Insights

  • Data protection reform in the UK: what’s being proposed and what are the practical considerations?

    Janine Regan

    Insights

  • Mergers and acquisitions in the IT services sector: a strategic overview of 2024 and predictions for 2025

    Mark Howard

    Insights

  • The Financial Times quotes Sally Ashford on predatory marriage and claims against wills

    Sally Ashford

    In the Press

  • Howden's Insurance quotes Rebecca Steer on AI training data and copyright

    Rebecca Steer

    In the Press

  • Cryptoassets as property: the latest from the courts and legislators

    Sonia Kenawy

    Insights

  • AI in Advertising: Balancing Innovation and Integrity

    Willemijn Paul

    Quick Reads

  • Policy; Private Capital & Digital Transformation: What to look for in the Investors & Entrepreneurs’ space in 2025

    Mike Barrington

    Insights

  • The Law Society Gazette and eprivateclient quote Sarah Jane Boon on 'Divorce Day'

    Sarah Jane Boon

    In the Press

  • Sports media rights and recent changes to the UK “Listed Events” regime

    Richard Davies

    Insights

  • BBC Radio Surrey interviews Shona Alexander on ‘Divorce Day’

    Shona Alexander

    In the Press

  • Charles Russell Speechlys continues to develop its Financial Services and Funds practice with the appointment of Racheal Muldoon

    David Collins

    News

  • Energy Transition Disputes: What we're seeing and what we're expecting

    Peter Brabant

    Insights

  • Charles Russell Speechlys appoints new Corporate Partner in Singapore

    Simon Green

    News

  • Updated HMRC guidance following Vermilion Holdings: when is a securities option “employment-related”?

    Tessa Newman

    Insights

  • Claire Fallows writes for New Civil Engineer on how developers can navigate Biodiversity Net Gain in 2025

    Claire Fallows

    In the Press

  • Charles Russell Speechlys strategically enhances its European operations with the arrival of new Partner Aline Wey Speirs in Switzerland

    Aline Wey Speirs

    News

  • Keir Gordon and Molly Moseley write for City AM on the Miami Dolphins and Buffalo Bills becoming the first NFL teams to sign private equity deals

    Keir Gordon

    In the Press

Back to top