New Guidance: Rights of Access to Personal Data
Subject Access Requests (‘SAR’) can be a complicated and difficult burden for employers. The Information Commissioners Office (‘ICO’) has released new guidance on Rights of Access.
In a right granted by the General Data Protection Regulations (‘GDPR’), individuals have the right to request a copy of their personal data which is held by an organisation. From an employment point of view, such requests are often used by employees who may be heading towards litigation and want to know what personal data is held by their employers. SAR’s can be a huge burden for any employer, irrespective of size, with many requests covering years of data, including emails or other messages identifying the individual as the subject.
To date, employers have been extremely critical of the guidance available from the ICO, with many employers receiving warnings or even fines for misinterpreting what should and should not be disclosed. Following a period of two years since their release, the ICO have now released guidance for employers on how to identify and process SAR’s, including answering some of the most common questions raised.
The ICO began consulting on new guidance in December 2019 and received over 350 responses from different organisations and sectors. It produced this guidance to clarify the right, focusing particularly on three key points:
- Stopping the clock for clarification;
- Defining a manifestly excessive request; and
- What can be included when charging a fee.
1. Stopping the clock for clarification
Following feedback that requesting clarification on an SAR did not leave enough time for the delivery of the information within a month (as per the regulations), the new guidance gives examples of when the clock can be stopped to request clarification. It makes it clear that this should only be sought where it is genuinely required, and where a large amount of information is processed. If you have grounds to request clarification, this should be done as soon as possible after receipt of the SAR, and not as the month deadline approaches.
2. Defining a manifestly excessive request
The ICO has provided clarity on what a manifestly excessive request might look like, and requires an organisation to consider whether it is “clearly or obviously unreasonable” when taking into account all the circumstances including the nature of the information, your resources and repeat requests, amongst other considerations.
3. What can be included when charging a fee
In most cases, it is not appropriate to charge a fee but under limited circumstances it can be, for example where the requests are manifestly unfounded, excessive or repeated. The ICO has clarified that a reasonable fee could include photocopying, printing, postage, equipment and supplies (eg. USB sticks) and staff time (based on the estimated time at a reasonable hourly rate).
It is necessary to read the full guidance if you are complying with SAR's, but it is helpful that some of these key points for employers have been clarified by the ICO.
What does this mean for you or your business?
Given the increase in demand for SAR's, the ICO are planning to create extra resources including simplified SAR guidance for small businesses. As more employees become aware of this powerful right, it is important as an employer that you are getting it right. This enhanced guidance does provide extra clarity, but there is also a burden on employers to make sure that they are fully compliant and are handling personal data in a sensible and legal way.
What do you need to be doing now?
This right is not new, but the guidance is welcomed. As an employer, make sure that you are aware of the rights of individuals and the time limits to respond to an SAR, and of the risks of not responding appropriately. Please do contact us with any queries, or for assistance in responding to an SAR.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.