ICO publishes guidance on responding to subject access requests
Responding to data subject access requests (DSARs) can be time-consuming, complex and in some cases difficult to complete within the one month timescale required under the Data Protection Act 2018 (DPA). The Information Commissioner’s Office (ICO) has recently published detailed Guidance on the right of access (the Guidance) which aims to provide a deeper understanding of how to apply the right in practice for those with specific data protection responsibilities. Helpfully, it takes the form of answers to commonly asked questions and includes useful illustrative examples.
In an employment context, DSARs are often used by employees or former employees as a way of obtaining copies of documents in advance of making a claim and have the effect of circumventing the tribunal disclosure rules. Although the right of access is ostensibly to help individuals understand how and why an organisation is using their data and to check it is being done lawfully, the fact that an employee’s collateral purpose for making a DSAR is often to use it as a “fishing expedition” to assist with litigation does not make the request invalid. The Court of Appeal in Dawson-Damer and ors v Taylor Wessing LLP considered that having such a collateral purpose did not amount to an abuse of process. Whilst the court may take a requester’s motive into account (in exercising the court’s discretion), the organisation in receipt of the request may not (subject to the rules on manifestly unfounded requests – see below). That decision was not good news for employers but this Guidance to some extent recognises the potential burden placed on those at the receiving end of a DSAR and appears to be more business-friendly. We highlight below some areas of particular interest.
Extending time for a response
The time to respond to a DSAR (a month from receipt) can be extended by a further two months if the request is complex or the individual has sent in a number of requests. The Guidance looks at where a DSAR may be considered complex. Much will depend on the size and resources and individual circumstances of the organisation and it will need to demonstrate why the request is complex. The examples given include technical difficulties in retrieving the information; where specialist work is needed to obtain the information or communicate it in an intelligible form; where it is necessary to clarify potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party or where specialist legal advice is needed but not where this is routinely sought. A large volume of information does not automatically make a request complex.
“Stopping the clock to ask for clarification”
The Guidance has given more concrete guidance around the concept of pausing the time limit for responding where clarification is sought by a respondent. This only applies where the employer processes a large amount of information about an individual and clarification is genuinely needed to identify what information or processing activities the request relates to in order to respond. Clarification should not be sought on a blanket basis, it should be sought promptly and there is no requirement to seek it. The organisation may choose to perform a reasonable search instead.
The time limit is extended by the number of days that the clock was stopped until the individual clarifies their request. If the individual repeats their request or refuses to provide additional information, the organisation must still comply with the request by making reasonable searches. If the individual doesn’t reply, the Guidance states that a month is generally a reasonable time to wait before closing the request but the organisation must adopt a reasoned and proportionate approach.
Refusing to comply with a request
A request maybe refused where a request is “manifestly unfounded” or “manifestly excessive” and the Guidance gives examples of what these terms mean. It states that a request may be manifestly unfounded where the individual has no intention to exercise their right of access for example, they make the request and then offer to withdraw it in return for some form of benefit from the organisation or where the request is malicious in intent and is being used to harass an organisation and cause disruption, for example, they explicitly state that they intend to cause disruption, or make unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice. It must be clear and obvious and if an individual genuinely wants to exercise their rights, it is unlikely the request could be regarded as manifestly unfounded.
A request is manifestly excessive where it is clearly or obviously unreasonable based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. All the circumstances must be taken into account including the nature of the requested information, the context, whether a refusal may cause substantive damage to the individual, the organisation’s available resources, whether he/she repeats previous requests and whether it overlaps with other requests. It should be noted that requesting a large amount of information does not of itself necessarily make the request manifestly excessive.
Any organisation refusing to comply with a request should ensure that they can clearly demonstrate to the ICO their grounds for doing so.
Charging a fee
In most cases an organisation cannot charge a fee for complying with a DSAR. However, it can charge a “reasonable fee” for the administrative costs of complying with a request if it is manifestly excessive or manifestly unfounded or an individual requests further copies of their data following a request.
The Guidance states that a reasonable fee may include the costs of the employer’s staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of equipment (e.g. discs, envelopes and USB devices).
The DPA provides for the introduction of regulations to specify limits on fees that may be charged. However, these have yet to be enacted and therefore it is the data controller’s responsibility to determine the reasonable rate and to ensure that fees are charged in a reasonable, proportionate and consistent manner. The Guidance states that it is good practice to establish an unbiased set of criteria available on request explaining the circumstances in which a fee is charged, standard charges (e.g. for photocopying per A4 photocopy) and how it is calculated. If the individual complains to the ICO the organisation must be able to justify the fee. There is no need to comply with the DSAR until the fee has been received but employers should not delay asking for a fee as a way of extending time.
In most cases charging a fee will not be permissible and it seems unlikely that this practice will become more common. However, there will be times when a respondent can justifiably ask for a fee to be paid by a data subject provided it can meet the high bar set by the interpretation of ”manifestly excessive” or “manifestly unfounded”. We certainly expect some employers to advance these arguments when faced with DSARs that they consider to be grossly unfair, tactical and/or disproportionate.
Charity Training: Digital Transformation in the Charity Sector
We would be delighted if you could join us for the second session in our new series of bite-size webinars for charities.
Charity Training: Brand Protection
We would be delighted if you could join us for the first in our new series of bite-size webinars for charities.
The UK’s New Skilled Worker & Intra-Company Visa Routes: a closer look
Taking a closer look at the UK’s new visas to assist UK businesses.
Practicalities in Cladding Claims
Insight into Issues with Cladding Claims
EWS1 Forms - the latest episode
RICS have now published their highly anticipated guidance on when EWS1 forms will be required.
Q&A: Am I insured for COVID-19?
Laura Bushaway writes for Estates Gazette on a recent claim under the “disease clause” of business interruption policy.
The Purpose Podcast: Corporate purpose
Simon Ridpath discusses corporate purpose and the rise of environmental, social and governance (ESG) issues in “The Purpose Podcast”
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.
Looking beyond the benefitted land: confirmation that an objector’s wider property may be considered in applications to discharge/modify restrictive covenants
Read our recent case study on applicants who were prevented from developing a new house due to a restrictive covenant covering their land.
Further extension of coronavirus restrictions affecting residential properties: Where are we now?
The extension will be implemented from and including 31 March 2021 by the Coronavirus Act 2020.
Knight Frank Wealth Report: The Global Perspective on Prime Property & Investment
Knight Frank partners joined Charles Russell Speechlys for a virtual panel-led discussion on the Knight Frank Wealth Report
Case Study: One Blackfriars Limited
An informative and positive judgment for administrators selling high-value property in distressed and complex scenarios.
Keeping Up With Construction: Handover at Practical Completion - Practical Pointers
Practical tips for the handover of a successful project.
Charles Russell Speechlys advises on Trident Royalties’ US$28m Placing
Trident Royalties plc is a growth-focused mining royalty and streaming company.
Temporary restrictions on winding-up petitions extended until 30 June 2021
As the restrictions are extended, read what it means for you here.
Charles Russell Speechlys advises Avation plc on £7.5m secondary placing
Headquartered in Singapore, Avation plc manages a fleet of aircraft which it leases to airlines across the world.
The Corporate team's involvement in Fishawack Health’s acquisition of PRMA featured in Yahoo! Finance USA, Markets Insider and Morning Star
Martin Wright and the Corporate team provided legal support on the acquisition of PRMA Consulting.
Charles Russell Speechlys, Strategic Partners of the Asoko Insight West Africa's Family-Owned Business Report
The report is the most comprehensive study of Family-Owned Businesses throughout West Africa.
To Promote or not to Promote, that is the Option: Top 10 Tips with Promotion Agreements
Providing you with the top ten tips with promotion agreements - what should you know?
Jessica Arrol quoted by Real Deals on the implementation of SFDR
SFDR aims to remove greenwashing and promote transparency in reporting ESG, but GPs and LPs are experiencing its flaws.