ICO publishes guidance on responding to subject access requests
Responding to data subject access requests (DSARs) can be time-consuming, complex and in some cases difficult to complete within the one month timescale required under the Data Protection Act 2018 (DPA). The Information Commissioner’s Office (ICO) has recently published detailed Guidance on the right of access (the Guidance) which aims to provide a deeper understanding of how to apply the right in practice for those with specific data protection responsibilities. Helpfully, it takes the form of answers to commonly asked questions and includes useful illustrative examples.
In an employment context, DSARs are often used by employees or former employees as a way of obtaining copies of documents in advance of making a claim and have the effect of circumventing the tribunal disclosure rules. Although the right of access is ostensibly to help individuals understand how and why an organisation is using their data and to check it is being done lawfully, the fact that an employee’s collateral purpose for making a DSAR is often to use it as a “fishing expedition” to assist with litigation does not make the request invalid. The Court of Appeal in Dawson-Damer and ors v Taylor Wessing LLP considered that having such a collateral purpose did not amount to an abuse of process. Whilst the court may take a requester’s motive into account (in exercising the court’s discretion), the organisation in receipt of the request may not (subject to the rules on manifestly unfounded requests – see below). That decision was not good news for employers but this Guidance to some extent recognises the potential burden placed on those at the receiving end of a DSAR and appears to be more business-friendly. We highlight below some areas of particular interest.
Extending time for a response
The time to respond to a DSAR (a month from receipt) can be extended by a further two months if the request is complex or the individual has sent in a number of requests. The Guidance looks at where a DSAR may be considered complex. Much will depend on the size and resources and individual circumstances of the organisation and it will need to demonstrate why the request is complex. The examples given include technical difficulties in retrieving the information; where specialist work is needed to obtain the information or communicate it in an intelligible form; where it is necessary to clarify potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party or where specialist legal advice is needed but not where this is routinely sought. A large volume of information does not automatically make a request complex.
“Stopping the clock to ask for clarification”
The Guidance has given more concrete guidance around the concept of pausing the time limit for responding where clarification is sought by a respondent. This only applies where the employer processes a large amount of information about an individual and clarification is genuinely needed to identify what information or processing activities the request relates to in order to respond. Clarification should not be sought on a blanket basis, it should be sought promptly and there is no requirement to seek it. The organisation may choose to perform a reasonable search instead.
The time limit is extended by the number of days that the clock was stopped until the individual clarifies their request. If the individual repeats their request or refuses to provide additional information, the organisation must still comply with the request by making reasonable searches. If the individual doesn’t reply, the Guidance states that a month is generally a reasonable time to wait before closing the request but the organisation must adopt a reasoned and proportionate approach.
Refusing to comply with a request
A request maybe refused where a request is “manifestly unfounded” or “manifestly excessive” and the Guidance gives examples of what these terms mean. It states that a request may be manifestly unfounded where the individual has no intention to exercise their right of access for example, they make the request and then offer to withdraw it in return for some form of benefit from the organisation or where the request is malicious in intent and is being used to harass an organisation and cause disruption, for example, they explicitly state that they intend to cause disruption, or make unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice. It must be clear and obvious and if an individual genuinely wants to exercise their rights, it is unlikely the request could be regarded as manifestly unfounded.
A request is manifestly excessive where it is clearly or obviously unreasonable based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. All the circumstances must be taken into account including the nature of the requested information, the context, whether a refusal may cause substantive damage to the individual, the organisation’s available resources, whether he/she repeats previous requests and whether it overlaps with other requests. It should be noted that requesting a large amount of information does not of itself necessarily make the request manifestly excessive.
Any organisation refusing to comply with a request should ensure that they can clearly demonstrate to the ICO their grounds for doing so.
Charging a fee
In most cases an organisation cannot charge a fee for complying with a DSAR. However, it can charge a “reasonable fee” for the administrative costs of complying with a request if it is manifestly excessive or manifestly unfounded or an individual requests further copies of their data following a request.
The Guidance states that a reasonable fee may include the costs of the employer’s staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of equipment (e.g. discs, envelopes and USB devices).
The DPA provides for the introduction of regulations to specify limits on fees that may be charged. However, these have yet to be enacted and therefore it is the data controller’s responsibility to determine the reasonable rate and to ensure that fees are charged in a reasonable, proportionate and consistent manner. The Guidance states that it is good practice to establish an unbiased set of criteria available on request explaining the circumstances in which a fee is charged, standard charges (e.g. for photocopying per A4 photocopy) and how it is calculated. If the individual complains to the ICO the organisation must be able to justify the fee. There is no need to comply with the DSAR until the fee has been received but employers should not delay asking for a fee as a way of extending time.
In most cases charging a fee will not be permissible and it seems unlikely that this practice will become more common. However, there will be times when a respondent can justifiably ask for a fee to be paid by a data subject provided it can meet the high bar set by the interpretation of ”manifestly excessive” or “manifestly unfounded”. We certainly expect some employers to advance these arguments when faced with DSARs that they consider to be grossly unfair, tactical and/or disproportionate.