A MIXED BAG FOR EMPLOYERS: THE ICO’S DRAFT UPDATED GUIDANCE ON SUBJECT ACCESS REQUESTS
The ICO has opened a public consultation on its draft updated guidance on SARs. The guidance is not final, but provides a useful indication of the ICO’s thinking.
Essentially, SARs involve 2 obligations on employers:
– complying with / responding to the SAR itself on time and in full; and
– being prepared to comply with / respond to the SAR.
The ICO emphasises the importance of being ready to deal with SARs adequately by implementing preparatory measures, such as staff training, internal guidance, designating staff to handle SARs, developing an effective information management system and having a functional data retention policy.
The threshold for a valid SAR is low, but there are limits
To be valid, a SAR need not be in writing or directed to any particular individual or via any particular channel (even social media is acceptable). The request does not require key words like “SAR”, “Article 15 GDPR” or even “personal data”. As long as the result of the request is that somebody wants to see their personal data, it can be a valid SAR.
However, the ICO imposes limits: correspondence or requests made in the normal course of business which necessarily involve personal data (such as an individual asking for a document you previously gave them) can be differentiated from SARs.
Asking for further information is no longer a cause for delaying compliance
Under previous guidance, compliance could be delayed by asking for further clarifying information (for example asking for particular date ranges or document types to narrow broad requests). Unless there is a genuine need for further information to identify the requester, asking for further information is no longer cause for delay.
Delaying compliance for “complex” and “numerous” requests
The ICO provides practical guidance on circumstances which can render a SAR sufficiently “complex” to entitle employers to a 2-month extension to the usual 1-month period to comply:
– Technical difficulties in retrieving the information (for example requiring external IT assistance to retrieve archived information).
– Needing specialist input, such as lawyers advising on the applicability of numerous exemptions.
– When the SAR relates to large amounts of special category / otherwise sensitive personal data.
A large amount of documents does not automatically make a SAR complex, but can be a complicating factor when combined with other circumstances.
The ICO also makes clear that, in deciding whether requests are too “numerous”, you can consider a requester’s recent attempts to exercise other individual rights (such as the right of erasure).
Proportionate and reasonable response
Prior to the GDPR, under English law you only had to expend “reasonable and proportionate” efforts to comply with a SAR. To the extent any doubt remained, the ICO confirms that this is no longer the case: the GDPR places a high expectation on you to search for, and provide, the requested information.
Refusing to comply: “manifestly unfounded” requests
Under the GDPR, you can refuse to comply with a SAR which is “manifestly unfounded” in the circumstances. The ICO has finally provided practical examples of what may constitute a manifestly unfounded request, and in doing so they appear to address well-publicised employer concerns about how individuals use SARs. SARs may be manifestly unfounded where:
– An individual clearly has no intention to exercise the right of access (for example, making a SAR and then withdrawing it in exchange for a benefit from the organisation, such as an enhanced settlement package).
– The request is clearly malicious or made to disrupt an organisation/particular person.
– Where the request is accompanied by unsubstantiated allegations.
Please note that the availability of this exemption depends on the relevant circumstances. The use of the word “manifestly” means there is still a high threshold to clear, so we always recommend that you seek legal advice.
The consultation closes next month, so employers should keep an eye out for publication of finalised guidance. If you have any questions about what this means for you, please ask our Data Privacy specialist, Lucas Atkin.Back to Our Thinking →