Simplifying Subject Access Requests

new detailed SARs guidance

All individuals have the right to ask an organisation how they are using or storing their personal information. Individuals can also ask organisations for copies of the personal information that they hold, either verbally or in writing. This is known as the right of access and is commonly known as making a subject access request or SAR.

It is a fundamental right under data protection law that is increasingly necessary in a world where personal data has become one of the most valuable and traded commodities. Having the right to be able to find out how and why an organisation is storing or using your personal data is an invaluable right to keep companies accountable. The right of access is therefore a cornerstone of data protection law and good SAR compliance instils trust and confidence.

As increased awareness of individual data protection rights grow and exercising one’s right to make a SAR request becomes increasingly common, it is important that companies know how to deal with such a request effectively and efficiently. This is also fundamental given non-compliance with a SAR request can lead to heavy fines being imposed by the Information Commissioners Office (‘ICO’).

Recently published guidance follows calls from many organisations of all sizes and sectors, for clarification and examples as to the content of their obligations, and their rights, when a SAR is made against them, due to fears that the law is currently unclear.

There are numerous changes and updates published on the ICO website, but here is a summary of three notable changes:

  1. Stopping the clock for clarification – a common complaint is that there if often not enough time to respond to a SAR request. The ICO have therefore now confirmed that in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.

 

  1. What is a manifestly excessive request – guidance on what this entails has been provided to combat confusion over when to class a request as manifestly excessive. For example, a request may be manifestly unfounded if the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption. For further guidance, click here.

 

  1. What can be included when charging a fee for excessive, unfounded or repeat requests – to address staff costs in dealing with manifestly unfounded or excessive requests, or responding to follow-up SARs, the ICO have provided guidance on when an admin fee can be charged. The exact fee is not set down, but it is stated that the fee must be reasonable, and you must be able to justify the cost, to the ICO if requested. For guidance, click here.