ICO consultation on Subject Access Requests
The Information Commissioner's Office (ICO) has recently been consulting on its current detailed draft guidance on an individual's right to make Subject Access Requests (SARs) to obtain their personal data.
A copy of the draft guidance can be found here.
One of the changes proposed to the current guidance is to the rules surrounding the time frame for responding to a SAR. Previously, under the ICO's 2018 guidance and under the Subject Access Request Code of Practice made under the Data Protection Act 1998, if a data controller received a request and asked for clarification on that request, the one month deadline (or three months, in the case of more complex requests) would be paused until clarification was received.
Under the current guidance, the clock will keep ticking even if clarification is sought and the SAR must be responded to within one (of three) month(s) of the original request regardless of how long it takes for clarification to be given. In other words, if a SAR is made and the data controller needs clarity, they must request clarification, receive a response from the individual; gather, sort and redact (as necessary) all the data; and provide the relevant documents to the requester, all within one month of the original SAR being made.
Clearly this position presents a number of challenges for controllers faced with SARs in respect of which clarification is needed before the controller can start the process of searching for and compiling the response.
We have therefore raised the following concerns with the ICO in response to its consultation given the opportunity to do so before the guidance is finalised:
Proportionality – responding to a SAR can be a mammoth task, particularly if the receiving controller holds a lot of data on the individual and the request is very broad. Requesting clarification is a good way to narrow the scope of a SAR, as often the individual will reveal that they are only interested in specific documents or a specific time frame and not every single document that a controller holds. Requesting clarification and the potential narrowing of scope following clarification, allows controllers to respond in a way which is proportionate to the intended nature and scope of the request. It also allows controllers to give a proportionate amount of their recourses over to responding to the request and avoids incurring unnecessary cost prior to the clarification being received. We are concerned that if time does not stop running to allow for clarification to be sought, this useful tool for making sure that the response is proportionate may be lost.
Discourages requests for clarification – as data controllers are still required to meet the original timescale for responding to a SAR, they may be discouraged from requesting such clarification, particularly if it is not immediately forthcoming. As mentioned above, requesting clarification is a good way of drilling down into what personal data the individual seeks. If this tool is not available, it may result in individuals receiving swathes of unnecessary and undesired data which may be contrary to the specific personal data sought by the data subject.
Increased errors – when time continues to run and a controller awaits clarification which is not immediate, the controller may find themselves with a very limited timeframe to respond to the request. The reduced timeframe created is likely to result in an increase in mistakes being made. The resulting increased time pressure to respond can result in failures to redact third part data, or the requester might not receive all the data they requested. Both of these scenarios can lead to complaints from requesters and the SAR process will end up taking more time and resources as a result of these complaints.
Vexatious requests – the fact that the timeframe for responding to a request is not paused when clarification is asked for, could result in increased use by data subjects of SARs as a tool to disrupt or run down a data controller's resources before bringing a claim against them by purposefully making broad and sweeping requests for all of their personal data purely for tactical reasons. It is worth noting that a controller can refuse to comply with a vexatious request if the request is "manifestly unfounded or excessive", for example if an individual states that they want to cause a disruption or if they systematically send SARs as part of a campaign intended to cause disruption. However, there are no hard and fast rules for deciding whether a request is manifestly unfounded or excessive and when a controller receives a SAR, they are not permitted to take the motive of the requester into account when deciding how to respond. Therefore this may present a further tactical opportunity for litigious requesters to make life difficult for controllers by purposefully creating an expensive and difficult task for them.
We expect a number of practitioners will have raised similar concerns on behalf of their clients and we hope that the ICO will take these into account in considering the changes to be made to the current SAR guidance. If you would like to discuss any of the points raised above, please contact a member of our Data Privacy Group.