On 21 October 2020 the UK Information Commissioner (ICO) published new detailed guidance regarding subject access requests (SARs) made by individuals to organisations which are processing their personal data. The publication of the guidance follows a consultation which began in December 2019, to which over 350 organisations responded. The guidance aims to simplify how organisations deal with subject access requests and is intended for use by data protection officers and those with specific data protection responsibilities in larger organisations.
In a blog post published on the same day, the ICO notes that the right of access is a fundamental right under data protection law, observing that, with the use of personal data by many organisations worldwide being so prolific, it is very important for individuals to be able to know how their personal information is being utilised. The ICO also notes that individuals are increasingly aware of their data protection related rights and are making requests in respect of them. The ICO stresses the importance for organisations of understanding how to address SARs quickly and effectively.
The guidance clarifies, in particular, a number of aspects of the law which are less straightforward. These include allowing organisations to “stop the clock for clarification”, in other words, allowing organisations more time to respond where they ask individuals to clarify their SARs. Additional guidance regarding what constitutes a manifestly excessive request has also been provided, together with guidance on what can be included when charging fees for repeated, excessive or unfounded requests.
The new guidance covers how to recognise SARs and what to take into account when responding to them. Advice is also provided regarding how to locate and retrieve information which is relevant to SARs and provide it to data subjects, as well as guidance on when organisations can refuse to respond to requests. Information about individuals other than the data subject who has made the request is also covered and advice regarding the various exemptions available (e.g. the crime and taxation exemption; the journalism, academia, art and literature exemption; the legal professional privilege exemption; and the health, education and social work data exemption) is also provided.
Special rules and provisions about SARs and some types of personal data (e.g. health data, credit files, social work data and unstructured manual records) are also discussed. The questions of whether the right of access can be enforced and also whether individuals can ever be obliged to make SARs are also considered.
The new guidance will, no doubt, be welcomed by many organisations, particularly those which receive a large number of SARs, which can be time consuming and onerous to respond to. The guidance emphasises the benefits of preparing for the right of access, noting that doing so can help organisations, among other things, to comply with their legal obligations regarding data protection, increase the efficiency of their procedures for addressing SARs (thereby saving effort and time) and enhancing the trust and confidence of individuals in organisations by being transparent regarding the information that is held about them.
More and more people are waking up to the power of their personal data, and are exercising their rights. That’s why, as an organisation, it’s important that you know how to deal with a subject access request (SAR) effectively and efficiently.