18 November 2020
Law at Work - November 2020 – 2 of 9 Insights
On 21 October the ICO published detailed guidance on subject access requests (SAR), providing much-needed clarity on how employers should deal with the mechanics of SARs and certain grey areas. The numerous examples provided are helpful. There is now more clarity on certain aspects which businesses have found confusing (as indicated in a consultation on the guidance), such as when the clock may be stopped (in terms of the timescale for dealing with a request), when a request will be considered manifestly excessive, and when an employer may charge a reasonable fee.
Usually, when a subject access request is made, the employer must respond ‘without undue delay’ and no later than one month from receipt of the request. However, where a request is complex, or a number of requests have been made, the clock may be stopped and the employer will have a further two months within which to respond. The employer should write to the employee if it considers either of these scenarios to apply, explaining why more time is needed to deal with the request.
An example of more than one request being made is where an employee is not only seeking copies of their data but also to exercise an additional right, such as to have certain data erased. The complexity of a request will depend on a variety of factors (not just sheer volume of data sought), including whether there are technical difficulties in retrieving archived data, or whether particularly sensitive data is involved.
Sometimes a request can strike an employer as disproportionate and overwhelming. If a request is manifestly excessive, the employer may refuse to accede to the request, writing to the individual and explaining why, also informing them of their right to complain to the ICO.
The guidance states that a request will be manifestly excessive if it is ‘clearly or obviously unreasonable’. It sets out a number of factors to be taken into account when making this assessment, including the nature of the information sought, the context of the request, the resources available to the organisation. In short, a balancing exercise is required, having regard to the potential burden on the business and the detriment to the individual if their request is not met.
Usually, an employer is not entitled to charge a fee for complying with a subject access request. However, an employer is entitled to charge a reasonable fee if it is dealing with a request which is manifestly excessive or unfounded, or else extra copies of the data have been requested. The guidance sets out some of the items that may be charged for, including copying costs, USB keys, postage. A reasonable hourly rate may also be charged for staff time dealing with such requests.
The ICO intends to publish a short guide, with top tips, for smaller businesses in due course. Because this is a complex and technical area to navigate, businesses should develop a simple policy or internal checklist for dealing with SARs so that they are not blindsided by an unusual or complex request. For further assistance in this area, contact a member of the employment team.
by Multiple authors