The ICO has updated its Data Subject Access Request ("DSAR") guidance, following the consultation last December 2019.
The aim of this update is to make the guidance clearance following the feedback from different stakeholders in the market.
Amongst other clarifications, this includes:
- The clock stops when you are waiting clarification – In certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
Our thoughts: Don't get too excited - this is not a blank cheque - questions need to be relevant, limited in number and justified.
- Further clarification on what constitutes a manifestly excessive request – there is a lot of confusion over when to class a request as manifestly excessive. The new definition is as follows:
- A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
Our thoughts: This is a reflection on the position most companies take in practice. Note that this is not a tick list, you will need to clearly justify why you believe it to be unfounded.
- When to charge a fee for excessive, unfounded or repeat requests – Responding to DSARs can be expensive. The guidance states when you can charge and what you can charge for. It encourages transparency about these fees.
Our thoughts: Put some thought into this and try to establish some criteria and fee brackets in advance. Ideally, include these in your privacy notice so people are forewarned of when and how much you charge for this.
When this guidance initially went out for consultation, back in December 2019, we received over 350 responses from organisations of all sizes and sectors. The responses were generally positive. However, there were calls for additional content and examples, and it was also obvious that there was an appetite for more support and clarification on some aspects of the law that aren’t so clear-cut. It showed how seriously organisations take their data protection obligations – and we’ve responded by providing clarity on the three key points raised.