ICO publishes new guidance on subject access requests


Share

The Information Commissioner's Office (ICO) has published new guidance for organisations on how to deal with subject access requests.  

The guidance provides clarification on the circumstances in which a subject access request (SAR) may be deemed complex, enabling a period of one month from receipt of the SAR to effectively stop the clock while a data controller waits for the individual to clarify their request.

It confirms that, in determining whether a SAR is manifestly excessive the data controller has to consider whether it is clearly or obviously unreasonable.  All the circumstances of the SAR should be taken into account and used to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.

The guidance also states that when the data controller charges a reasonable fee for excessive, unfounded or repeated SARs this fee can include the costs of staff time, copying, postage, and other expenses involved in transferring the data to the individual.

In addition to this guidance the ICO is developing other resources such as a guide for small businesses to aid the understanding of SARs.

News

Trowers comments: ESG for HR

Explore
Insight

Doctor who refused to use transgender service users' pronouns was not discriminated against

Explore
Insight

A round-up of other gender critical belief decisions

Explore
Insight

Holiday for part-year workers should not be reduced pro rata

Explore
Insight

Injunction restraining termination and re-engagement of Tesco employees overturned by Court of Appeal

Explore
Insight

PHI and contractual liability

Explore