The Information Commissioner's Office (ICO) has published draft guidance on handling data subject access requests under GDPR. You can find the guidance at https://ico.org.uk/media/about-the-ico/consultations/2616442/right-of-access-draft-consultation-20191204.pdf.
The guidance will replace that published in April 2018. It covers topics such as:
- how to recognise a subject access request;
- finding and retrieving the relevant information;
- how to supply the information;
- when a request can be refused;
- claiming exemptions; and
- dealing with information about third parties.
Key concerns for organisations
Unfortunately, we have not found that the guidance provides any particularly useful information when it comes to dealing with requests that you may consider excessive. We know our clients are concerned about the size of requests made. The guidance merely points out cases where an organisation should not consider a request excessive. It does not give any tangible assistance to organisations to enable them to push back on unreasonable requests.
However, the guidance does helpfully deal with the ability to extend the time to respond. An organisation can extend the response time to three months where a request is complex or one of many requests from the individual. It gives examples of factors that may, in some circumstances, add to the complexity of a request. For example, technical difficulties in retrieving the information, applying an exemption to large volumes of sensitive information, or applying redactions.
The guidance does not add much in the way of a steer around charging a fee. It confirms an organisation can charge a fee for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if further copies are required. The fee must be reasonable, and cannot include the time taken to deal with the request.
The guidance will sit alongside the ICO's guide which explains the general data protection regime and explains the data protection principles, rights and obligations. You can find the guide at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.
The consultation aims to gather the views of stakeholders and the public as to where further clarity is needed, based on experiences of dealing with subject access requests. The consultation is open until 17:00 on 12 February 2020. To feed into the consultation, please visit https://wh.snapsurveys.com/s.asp?k=157493897966.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.