Updated guidance on data subject access requests
Employees have the right to ask employers for access to their personal data. Data subject access requests (SARs) must be handled without undue delay and in most circumstances within one month of receipt of the request.
The Information Commissioner’s Office (ICO) has published detailed guidance to help employers deal with SARs effectively and efficiently.
The guidance deals with issues including:
- What the right of access is, and what information the individual is entitled to
- How organisations should prepare for a SAR
- How to recognise a SAR
- What to consider when responding to a request
- How to find and retrieve relevant information
- When organisations can refuse to comply with a SAR
- How to deal with information about other individuals; and
- What exemptions there are.
The ICO has noted feedback in response to consultation on the first draft of the guidance and has included further guidance on the following particular issues:
- Stopping the clock for clarification – the ICO has included guidance on circumstances in which organisations can pause the response period whilst they are waiting for the data subject to clarify their request.
- Determining when a SAR is manifestly excessive – the guidance states that the organisation should consider whether the request is proportionate when balanced with the burden of costs involved in dealing with the request. Circumstances that can be taken into account include the nature of the requested information, the context of the request and the relationship between the organisation and the individual, the organisation’s available resources and whether it overlaps with other requests.
- Costs that can be included when charging a fee – although in most cases an organisation cannot charge a fee to comply with a SAR, a “reasonable fee” for the administrative costs of complying with a request can be charged for manifestly excessive, unfounded or repeated requests. The guidance clarifies that a reasonable fee may include the costs of photocopying, printing, equipment, transferring the data to the individual and staff time (charged at a reasonable hourly rate).
A suite of resources, including a simplified SAR guide for small businesses which picks out the key “need to knows” is being developed by the ICO.
Complying with a SAR is a serious obligation and employers should start working on complying with a SAR as soon as they receive it. It is therefore important to have procedures for recognising and handling SARs in place. The ICO guidance gives the following practical examples of ways in which organisations can prepare for a SAR:
- Provide staff training on how to recognise a SAR and, for relevant staff, how to handle a SAR
- Create guidance with links to SAR policies and procedures
- Appoint a specific person or team that is responsible for responding to SARs
- Produce a standard checklist that staff can use to ensure a consistent approach to SARs
- Have documented retention and deletion policies for the personal data the organisation processes
- Have measures in place to securely send information
Failure to comply with a request may result in a complaint to the ICO, which may lead to investigation by the Commissioner; or an application to court for a compliance order. Employers should therefore be aware of this guidance and consider reviewing any existing policies and procedures.
24 November 2020
If you would like to receive monthly employment law updates and news of our events, sign up for our email alerts.
©2020 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK COMPETENT PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST