Autor
Shireen Shaikh

Shireen Shaikh

Senior Professional Support Lawyer

Read More
Autor
Shireen Shaikh

Shireen Shaikh

Senior Professional Support Lawyer

Read More

18. November 2020

Law at Work - November 2020 – 2 von 9 Insights

Guidance on Subject Access Requests from ICO

  • Briefing

On 21 October the ICO published detailed guidance on subject access requests (SAR),  providing much-needed clarity on how employers should deal with the mechanics of SARs and certain grey areas. The numerous examples provided are helpful. There is now more clarity on certain aspects which businesses have found confusing (as indicated in a consultation on the guidance), such as when the clock may be stopped (in terms of the timescale for dealing with a request), when a request will be considered manifestly excessive, and when an employer may charge a reasonable fee.

Stopping the clock

Usually, when a subject access request is made, the employer must respond ‘without undue delay’ and no later than one month from receipt of the request. However, where a request is complex, or a number of requests have been made, the clock may be stopped and the employer will have a further two months within which to respond. The employer should write to the employee if it considers either of these scenarios to apply, explaining why more time is needed to deal with the request.

An example of more than one request being made is where an employee is not only seeking copies of their data but also to exercise an additional right, such as to have certain data erased. The complexity of a request will depend on a variety of factors (not just sheer volume of data sought), including whether there are technical difficulties in retrieving archived data, or whether particularly sensitive data is involved.

Manifestly excessive

Sometimes a request can strike an employer as disproportionate and overwhelming. If a request is manifestly excessive, the employer may refuse to accede to the request, writing to the individual and explaining why, also informing them of their right to complain to the ICO.

The guidance states that a request will be manifestly excessive if it is ‘clearly or obviously unreasonable’. It sets out a number of factors to be taken into account when making this assessment, including the nature of the information sought, the context of the request, the resources available to the organisation. In short, a balancing exercise is required, having regard to the potential burden on the business and the detriment to the individual if their request is not met.

Charging a fee

Usually, an employer is not entitled to charge a fee for complying with a subject access request. However, an employer is entitled to charge a reasonable fee if it is dealing with a request which is manifestly excessive or unfounded, or else extra copies of the data have been requested. The guidance sets out some of the items that may be charged for, including copying costs, USB keys, postage. A reasonable hourly rate may also be charged for staff time dealing with such requests.

Further steps

The ICO intends to publish a short guide, with top tips, for smaller businesses in due course. Because this is a complex and technical area to navigate, businesses should develop a simple policy or internal checklist for dealing with SARs so that they are not blindsided by an unusual or complex request. For further assistance in this area, contact a member of the employment team.

Call To Action Arrow Image

Newsletter-Anmeldung

Wählen Sie aus unserem Angebot Ihre Interessen aus!

Jetzt abonnieren
Jetzt abonnieren

Related Insights

Employment, Pensions & Mobility

Data protection: employer entitled to process data relating to alleged commission of offence

18. November 2020
Quick read

von Kathryn Clapp und Shireen Shaikh

Klicken Sie hier für Details
Employment, Pensions & Mobility

Private WhatsApp messages could be used in disciplinary proceedings

18. November 2020
Quick read

von Kathryn Clapp und Shireen Shaikh

Klicken Sie hier für Details
people walking
Employment, Pensions & Mobility

Wake-up call to 'middleman' businesses introducing individuals to end-users

19. Oktober 2020

von Shireen Shaikh

Klicken Sie hier für Details