ICO publishes new guidance on subject access requests


The Information Commissioner's Office (ICO) has published new guidance for organisations on how to deal with subject access requests.  

The guidance provides clarification on the circumstances in which a subject access request (SAR) may be deemed complex, enabling a period of one month from receipt of the SAR to effectively stop the clock while a data controller waits for the individual to clarify their request.

It confirms that, in determining whether a SAR is manifestly excessive the data controller has to consider whether it is clearly or obviously unreasonable.  All the circumstances of the SAR should be taken into account and used to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.

The guidance also states that when the data controller charges a reasonable fee for excessive, unfounded or repeated SARs this fee can include the costs of staff time, copying, postage, and other expenses involved in transferring the data to the individual.

In addition to this guidance the ICO is developing other resources such as a guide for small businesses to aid the understanding of SARs.

Insight

Consultation launched on hiring agency staff to cover industrial action

Explore
Insight

What is in the government's Back to Work Plan? 

Explore
Insight

Draft code of practice published on preventing illegal working 

Explore
Insight

Increases to the national minimum wage announced

Explore
Insight

HR Law – December 2023

Explore
Insight

Webinar: Trowers Tuesday – being a Digital Employer of the Future

Explore