On 21 October 2020 the UK data protection authority (ICO) published a new Right of Access Detailed Guidance (SAR Guidance), following the public consultation on the SAR Draft Guidance (Draft Guidance) which ran from December 2019 to February 2020. The main changes introduced by the final version include providing clarity on the three key points raised in the public consultation: (1) stopping the clock for clarification; (2) manifestly excessive requests and (3) fees for excessive, unfounded or repeat requests.
Stopping the clock for clarification
The SAR Guidance clarifies that, when controllers ask for clarification, the time limit for responding stops until the requester clarifies the request. Clock stopping is subject to the following considerations:
- The clock stops from the date controllers request clarification and will resume once the requester responds. Therefore, the time limit for responding will be extended by the number of days that the clock has been stopped.
- The clock only stops where clarification relates to the information requested (as opposed to, for example, clarification on the format of the response).
- Where controllers need to request both clarification and verification of ID, there is no need to wait until the requester clarifies the SAR in order to ask for proof of ID, provided that no personal data is disclosed without previously checking the requester’s identity.
- Controllers are expected to contact the requester “as quickly as possible” with an explanation on (a) the reasons why clarification is being sought; (b) the fact that the clock has been stopped until they respond; and (c) whether they need to provide clarification within a certain time (although controllers should try to accommodate to the requester as much as possible).
- Where certain information can be provided without seeking clarification, controllers should provide that information within one month. For instance, controllers could provide the supplementary information under Article 15.1 General Data Protection Regulation (GDPR), including via a link to the privacy notice.
- Where controllers do not receive clarification within a reasonable period of time (generally, one month), the request could be marked as “closed”.
- The clarification process should be as smooth as possible. As such, the request for clarification should be made in the same format as the original SAR by the individual and, where possible, controllers should help requesters clarify the request (e.g. by asking the requester to provide the context in which the controller may have processed their information and specific date ranges).
- Where it is unclear whether the requester is making a SAR, the clock will not start ticking until the requester has clarified that he/she is making a SAR and what personal data is being requested. In any event, controllers should bear in mind that the GDPR does not set out formal requirements for a valid request and that a SAR will be valid whenever it is clear that the requester is asking for his/her personal data (without being it necessary that the request includes phrases such as “DSAR”, “SAR”, “subject access request”, “right of access”, etc.).
- Controllers should keep a record of any conversation/exchange with the individual and be able to justify the position to the ICO, if necessary.
Manifestly excessive requests
Whilst the Draft Guidance regarded “excessive” requests as one of the grounds which allowed controller to refuse to comply with a SAR, the ICO has slightly nuanced its approach under the SAR Guidance, referring instead to “manifestly excessive” requests. In addition to the criteria set out in the Draft Guidance (i.e. requests repeating the substance of previous requests without reasonable intervals being elapsed, or requests overlapping with other requests), which still apply, the SAR Guidance sets out additional circumstances to help controllers assess whether a SAR is “clearly or obviously unreasonable” and, therefore, can be regarded “manifestly excessive”, including:
- The nature of the requested information.
- The context of the SAR, and the relationship between the controller and the requester.
- Whether a refusal to provide the information or even acknowledge if the controller holds it may cause substantive damage to the requester.
- The controller’s available resources.
Fees for manifestly excessive, unfounded or repeated requests
In the SAR Guidance, the ICO provides greater clarity on the administrative costs that can be taken into account when determining the reasonable fee that can be charged when responding to manifestly excessive, unfounded or repeated requests (the later meaning situations where an individual requests further copies of the data).
When determining a reasonable fee, the ICO considers that, in addition to photocopying, printing and postage (which had been already included in the Draft Guidance), controllers can also take into account the costs of:
- Assessing whether personal data is being processed.
- Locating, retrieving and extracting the information.
- Communicating the response to the requester, including any other costs involved in handing over the information to the requester (e.g. costs of making the information available remotely on an online platform), as well as equipment and supplies (e.g. discs, envelopes, USB devices, etc.)
- Staff time, on the basis of the estimated time, charged at a reasonable hourly rate, which in any event should be within the limits that the Secretary of State may specify in the future.
Controllers should ensure that overlaps and duplications are considered when calculating the final fee.
As a matter of good practice, the SAR Guidance recommends that, whenever controllers request a fee, they should establish the criteria for charging fees in a clear, concise and accessible manner, including:
- Circumstances in which a fee can be charged.
- Standard charges, including costs breakdown where possible.
- How the fees are calculated.
The criteria do not need to be published online, but should be provided when requesting the fee from the requester (even if the controller is not providing any personal data to the requester).
Finally, the SAR Guidance also clarifies that when controllers are not able to request the fee as soon as possible, they should document the reasons and be able to justify the position to the ICO. Similarly to the approach taken for requests for clarification, the request could be generally marked as “closed” if the controller does not receive a response to the request for a fee within one month.
Daniel Lee, a trainee solicitor in our London office, contributed to this entry.