Data subject access requests: three recent developments
Chris Hamblin, Editor, London, 4 April 2021
In October the UK's Information Commissioner's Office published 'right of access detailed guidance' to interpret some of its rules more clearly than it had done before.
The ICO was replying to popular demand by being clearer about three points that the public raised.
- "Stopping the clock for clarification" – the ICO decided that firms often did not have enough time to respond to calls (presumably by data subjects) for clarification about requests. It now says that, in certain circumstances, an organisation can stop the clock while it waits for the requester to clarify his request. The law firm of DAC Beechcroft has written on the subject: "The new guidance offers a compromise in the form of a “stop the clock” mechanism where clarification of the DSAR is genuinely needed in order for the data controller to carry out a reasonable search. In these circumstances, the timescale for responding to the DSAR will be extended by the period taken for the data subject to provide the requested clarification. So, for example, if a DSAR is submitted on 14 November, clarification is sought by the data controller on 16 November but this clarification is not provided by the data subject until 16 December, the data controller will benefit from an additional month to complete the response to the DSAR (as the clock stops between 16 November and 16 December)."
- What is a 'manifestly excessive' request? To combat confusion over when to class a request as manifestly excessive, the ICO has written more guidelines and has broadened the reach of the term. Firms should relate 'excessiveness' to their available resources and whether the requests overlap with other ones.
- When a firm charges a requester an administration fee for excessive, unfounded or repeat requests, it can take various things into account and the ICO has taken the feedback on board and made some pronouncements. Phil Tompkins, a partner at the Newcastle firm of Ward Hadaway, has written: "A reasonable fee can include the costs of staff time, which should be based on the estimated time it will take staff to comply with a DSAR. The Data Protection Act 2018 permits regulations to be made to specify limits on the fees that a controller may charge when dealing with manifestly unfounded or excessive DSARs (although no such regulations are yet in place)."
The ICO made many more changes, but these were the outstanding ones.