ICO publishes guidance on responding to subject access requests
Responding to data subject access requests (DSARs) can be time-consuming, complex and in some cases difficult to complete within the one month timescale required under the Data Protection Act 2018 (DPA). The Information Commissioner’s Office (ICO) has recently published detailed Guidance on the right of access (the Guidance) which aims to provide a deeper understanding of how to apply the right in practice for those with specific data protection responsibilities. Helpfully, it takes the form of answers to commonly asked questions and includes useful illustrative examples.
In an employment context, DSARs are often used by employees or former employees as a way of obtaining copies of documents in advance of making a claim and have the effect of circumventing the tribunal disclosure rules. Although the right of access is ostensibly to help individuals understand how and why an organisation is using their data and to check it is being done lawfully, the fact that an employee’s collateral purpose for making a DSAR is often to use it as a “fishing expedition” to assist with litigation does not make the request invalid. The Court of Appeal in Dawson-Damer and ors v Taylor Wessing LLP considered that having such a collateral purpose did not amount to an abuse of process. Whilst the court may take a requester’s motive into account (in exercising the court’s discretion), the organisation in receipt of the request may not (subject to the rules on manifestly unfounded requests – see below). That decision was not good news for employers but this Guidance to some extent recognises the potential burden placed on those at the receiving end of a DSAR and appears to be more business-friendly. We highlight below some areas of particular interest.
Extending time for a response
The time to respond to a DSAR (a month from receipt) can be extended by a further two months if the request is complex or the individual has sent in a number of requests. The Guidance looks at where a DSAR may be considered complex. Much will depend on the size and resources and individual circumstances of the organisation and it will need to demonstrate why the request is complex. The examples given include technical difficulties in retrieving the information; where specialist work is needed to obtain the information or communicate it in an intelligible form; where it is necessary to clarify potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party or where specialist legal advice is needed but not where this is routinely sought. A large volume of information does not automatically make a request complex.
“Stopping the clock to ask for clarification”
The Guidance has given more concrete guidance around the concept of pausing the time limit for responding where clarification is sought by a respondent. This only applies where the employer processes a large amount of information about an individual and clarification is genuinely needed to identify what information or processing activities the request relates to in order to respond. Clarification should not be sought on a blanket basis, it should be sought promptly and there is no requirement to seek it. The organisation may choose to perform a reasonable search instead.
The time limit is extended by the number of days that the clock was stopped until the individual clarifies their request. If the individual repeats their request or refuses to provide additional information, the organisation must still comply with the request by making reasonable searches. If the individual doesn’t reply, the Guidance states that a month is generally a reasonable time to wait before closing the request but the organisation must adopt a reasoned and proportionate approach.
Refusing to comply with a request
A request maybe refused where a request is “manifestly unfounded” or “manifestly excessive” and the Guidance gives examples of what these terms mean. It states that a request may be manifestly unfounded where the individual has no intention to exercise their right of access for example, they make the request and then offer to withdraw it in return for some form of benefit from the organisation or where the request is malicious in intent and is being used to harass an organisation and cause disruption, for example, they explicitly state that they intend to cause disruption, or make unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice. It must be clear and obvious and if an individual genuinely wants to exercise their rights, it is unlikely the request could be regarded as manifestly unfounded.
A request is manifestly excessive where it is clearly or obviously unreasonable based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. All the circumstances must be taken into account including the nature of the requested information, the context, whether a refusal may cause substantive damage to the individual, the organisation’s available resources, whether he/she repeats previous requests and whether it overlaps with other requests. It should be noted that requesting a large amount of information does not of itself necessarily make the request manifestly excessive.
Any organisation refusing to comply with a request should ensure that they can clearly demonstrate to the ICO their grounds for doing so.
Charging a fee
In most cases an organisation cannot charge a fee for complying with a DSAR. However, it can charge a “reasonable fee” for the administrative costs of complying with a request if it is manifestly excessive or manifestly unfounded or an individual requests further copies of their data following a request.
The Guidance states that a reasonable fee may include the costs of the employer’s staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of equipment (e.g. discs, envelopes and USB devices).
The DPA provides for the introduction of regulations to specify limits on fees that may be charged. However, these have yet to be enacted and therefore it is the data controller’s responsibility to determine the reasonable rate and to ensure that fees are charged in a reasonable, proportionate and consistent manner. The Guidance states that it is good practice to establish an unbiased set of criteria available on request explaining the circumstances in which a fee is charged, standard charges (e.g. for photocopying per A4 photocopy) and how it is calculated. If the individual complains to the ICO the organisation must be able to justify the fee. There is no need to comply with the DSAR until the fee has been received but employers should not delay asking for a fee as a way of extending time.
In most cases charging a fee will not be permissible and it seems unlikely that this practice will become more common. However, there will be times when a respondent can justifiably ask for a fee to be paid by a data subject provided it can meet the high bar set by the interpretation of ”manifestly excessive” or “manifestly unfounded”. We certainly expect some employers to advance these arguments when faced with DSARs that they consider to be grossly unfair, tactical and/or disproportionate.
IBA Annual Conference
The IBA heads to Miami for its 2022 Annual Conference bringing together thousands hundreds of lawyers from around the world.
Charles Russell Speechlys acts for Maitland Medical Services Ltd on its acquisition of Soma Health Limited
We have advised Maitland Medical Services Ltd on its acquisition of Soma Health Limited.
Dominic Lawrance and Catrin Harrison write for Tax Journal on the statutory residence test
The statutory residence test: an exceptionally useful case on ‘exceptional circumstances’
7 top tips for Food and Beverage brands preparing for Private Equity investment
Planning and preparing for investment into your F&B business in advance of entertaining discussions will stand you in good stead.
Charles Russell Speechlys advises Zenzero on the acquisition of OnTech
Zenzero is one of the fastest growing service providers in the UK, supporting over 10,000 users across a variety of industries.
Mind your business: Safeguarding your business against loss of mental capacity
Practical considerations to safeguard your business against loss of mental capacity.
PART 36— A move towards greater flexibility?
Discussing the possibility of the Part 36 regime opening up with recent developments.
FT Wealth quotes Sarah Anticoni on forum shopping
"Being the first to file for divorce is not a foolproof way of securing an English hearing"
What can UK investors interested in Life Sciences learn from their more experienced, including US, counterparts?
The recent tie-up between Canary Wharf and Kadans demonstrates the enthusiasm to access the lucrative UK life sciences market.
The hurdles in establishing retrospective validation of post-petition dispositions
A discussion on the key takeaways from ICC Judge Barbers recent case ruling.
Helen Coward writes for Tax Journal on the main purpose test for SDLT group relief
Mainly ignored? The main purpose test for SDLT group relief
The Ayes have it - Collateral Warranties can be a ‘Construction Contract’
The Court of Appeal handed down its judgment in the case of Abbey Healthcare (Mill Hill) Limited v Simply Construct (UK) LLP
Charles Russell Speechlys advises Caretech Holdings PLC on its proposed £870.3 million take private
Charles Russell Speechlys is advising the independent board of Caretech Holdings PLC, in its take private sale to Amalfi Bidco Limited.
Charles Russell Speechlys advising Battery Ventures on the sale of SPT Labtech for £650 million.
Battery Ventures has raised over $9 billion to invest in software and services, enterprise infrastructure, and much more around the world.
Windrush Day 2022 – supporting access to justice
Charles Russell Speechlys is proud to continue supporting survivors of the Windrush scandal in their fight for justice.
The Leasehold Reform (Ground Rent) Act 2022: Landlords and developers beware serious sanctions for non-compliance
The Leasehold Reform (Ground Rent) Act 2022 received Royal Assent on 8 February 2022 and will come into force on 30 June 2022.
EG quotes Emma Preece on the Picturehouse and BNY Mellon rent arrears cases
“The case is being closely watched by landlords and tenants alike as the impact of the pandemic lives on in the commercial property sector”
Charles Russell Speechlys has advised long-standing client Stonegate on a series A investment into Peckwater Brands
Stonegate is one of the largest pub companies in the UK with a rich portfolio that covers over 4,500 sites.
Pro bono support for major office premises move for charity in Stoke-on-Trent
Emmaus entities provide safe homes, community support and meaningful work to formerly homeless people across the UK.
Financier Worldwide quotes Rachel Warren on the UK’s Economic Crime Act
Evaluating the UK’s Economic Crime Act