On October 21, 2020, the Information Commissioner’s Office (ICO) published guidance on subject access requests (SARs), aiming to provide more detailed information and address specific practical concerns so organizations can handle the requests effectively and efficiently.

Register for our webinar, ICO Releases DSAR Guidance: What You Need to Know, to learn more

As the use of personal data continues to increase, more people are exercising their rights in relation to their data, so ensuring that individuals have access to their personal data is becoming an increasing priority for organizations. Fortunately, it doesn’t need to be complicated!

Aimed at DPOs, the ICO’s guidance provides clarity on the nature of access rights, how to prepare for SARs, how to respond, and exemption classifications. There are also sections dedicated to the right of access to health, education, and social work data, addressing the nuances of those sectors.

What Have the ICO Clarified?

This latest guidance from the ICO aims to support organizations fulfill their SARs responsibilities with detailed information around all areas of the SARs process. The ICO notably provided clarity on four key issues that were highlighted in their December 2019 consultation.

  • Stopping the clock: Much of the feedback highlighted that when seeking clarification on requests meant there was not sufficient time to respond, as a result, the ICO has said that in certain circumstances organizations can ‘stop the clock’ while waiting for clarification from the requester. 
  • A manifestly excessive request: The ICO has published additional guidance and broadened the definition of what constitutes a manifestly excessive request. The circumstances that must be considered include the nature of the information requested, the context of the request, potential damage to the individual that a refusal may cause, the resources you have available, whether the request is largely a repeat, and any overlap with other requests. 
  • Charges for excessive, unfounded, or repeat requests: Having considered the feedback provided in relation to the fee for staff time involved in responding to clearly unfounded or excessive requests for follow-up SARs, the ICO has updated the guidance around what organizations can take into account when charging an administrative fee. 
  • Requests through agents and third-party software: The ICO provided more detailed guidance on what to take into account when assessing a request submitted on behalf of the actual data subject and whether it can be complied with. Specifically, the guidance addresses the recent spike in SARs generated through third-party online portals. 

This in-depth guidance on SARs is a helpful step forward for organizations working towards an effective SARs process. The ICO is also planning to release additional resources including simplified SAR guidance for small businesses, so that’s something to watch out for!

Building a strong process around access requests is a vital part of any compliance program, it helps instill trust in an organization and therefore is key to a successful relationship with users. For information on how you can build a strong SARs process register for our webinar, ICO Releases DSAR Guidance: What You Need to Know.