Revised time limit guidance
Until publishing this revised guidance, the ICO's position had been that the month's timescale go comply with a DSAR begins on the day after the DSAR is received. However, the revised guidance makes it clear that this is no longer the case; data controllers are now expected to calculate the time limit from the day that the DSAR is received (regardless of whether this is a working day). For example, the deadline for a DSAR received on 2 September 2019 would be 2 October 2019 (provided a decision is not made to extend the time limit by a further two months).
The other rules for calculating DSAR compliance deadlines remain the same. As a recap, these are:
- If there is no corresponding calendar date, the deadline is the last day of the relevant month (e.g. a DSAR received on 31 August would be due on 30 September, given that September only has 30 days); and
- If the DSAR deadline falls on a weekend or a public holiday, you have until the next working day to respond (e.g. the deadline for a DSAR received on 14 August 2019 will be Monday 16 September 2019).
Clarity on 'manifestly unfounded or excessive' DSARs
The revised ICO guidance has helpfully provided some clarity as to what constitutes a 'manifestly unfounded or excessive' DSAR (which data controllers are entitled to refuse to comply with).
The guidance explains that a DSAR may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, if an individual makes a request, but then offers to withdraw it in return for some form of benefit; or
- the request is malicious in intent and is being used to harass
an organisation with no real purposes other than to cause
disruption. For example:
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against you or specific employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
The guidance makes it clear, however, that this should not be treated as a simple tick list exercise that automatically means a request is manifestly unfounded. Likewise, data controllers should not presume that a request is manifestly unfounded just because the individual has previously submitted requests which have been manifestly unfounded or excessive, or because the request includes aggressive or abusive language.
Data controllers are expected instead to consider a request in the context in which it is made, and are responsible for demonstrating that it is manifestly unfounded. There must be an obvious or clear quality to it being unfounded and data controllers are expected to consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.
The following example is provided in the guidance:
- An individual believes that information held about them is inaccurate. They repeatedly request that it is corrected but you have previously investigated and told them you regard it as accurate.
- The individual continues to make requests along with unsubstantiated claims against the data controller.
- The most recent request is refused because it is manifestly unfounded and the individual is notified of this.
A request may be excessive if:
- it repeats the substance of previous requests and a reasonable interval has not elapsed; or
- it overlaps with other requests.
It depends on the particular circumstances whether a request is excessive. A DSAR will not necessarily be excessive just because the individual:
- requests a large amount of information, even if this is burdensome. Instead, a data controller should consider asking the data subject for more information to help locate what they want to receive;
- wants to receive a further copy of information they have requested previously. In this situation a data controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;
- made an overlapping request relating to a completely separate set of information; or
- previously submitted requests which have been manifestly unfounded or excessive.
When deciding whether a reasonable interval has elapsed the following should be considered:
- the nature of the data – this could include whether it is particularly sensitive;
- the purposes of the processing – these could include whether the processing is likely to cause detriment (harm) to the requester if disclosed; and
- how often the data is altered – if the information is unlikely to have changed between requests, there is no need to respond to the same request twice. However, if you have deleted information since the last request you should inform the individual of this.
WHAT THIS MEANS FOR EMPLOYERS
We recommend employers amend their internal DSAR processes and update any employees who handle DSARs to avoid getting caught out by the new calculation of the time limit rule. For any DSARs already in the pipeline, we recommend that data controllers aim to comply with the shortened deadline if possible. However, as this amendment was made by the ICO without much fanfare, data controllers may be able to argue in the short term that they were not aware of the change. The guidance on manifestly unfounded or excessive is welcome, as it has been some time coming.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.