The Information Commissioner’s Office (ICO) Right of Access Detailed Guidance.

The Information Commissioner’s Office (ICO) Right of Access Detailed Guidance.

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’. Individuals can make SARs verbally or in writing, including via social media. A third party can also make a SAR on behalf of another person.

Individuals have the right to obtain the following from a controller/employer:

• confirmation that they are processing their personal data;
• a copy of their personal data;
• other supplementary information; and
• a copy of the Company Privacy Notice.

In most circumstances, a company cannot charge a fee to deal with a request. An employer should respond without delay and within one month of receipt of the request. The time limit may be extended by a further two months if the request is complex or if the company has received a number of requests from the individual.

Employers should perform a reasonable search for the requested information. They should provide the information in an accessible, concise and intelligible format. Additionally, the information should be disclosed securely.

A company can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

Last week the ICO published the Right of Access detailed guidance. The guidance doesn’t alter the existing law but rather provides clarification for employers on how to deal with SARs. There are three main areas that the guidance addresses:

1) What is meant by a ‘manifestly excessive’ SAR?

Under data protection law, if a SAR is manifestly excessive, an employer may charge a fee for dealing with the request or may refuse to deal with it. The new guidance states that, when assessing if a SAR is manifestly excessive, it is a balancing act and the employer must determine whether the SAR is “clearly or obviously unreasonable”. Employers should take into account all the circumstances of the SAR, including (but not limited to) the nature of the information, the context of the request, whether not complying with the SAR could cause substantive damage to the employee and the available resources.

This includes assessing whether the response required is “proportionate when balanced with the burden or costs involved”.

2) What can an employer charge for complying with a manifestly excessive, unfounded or repeated SAR? (the ‘reasonable fee’)

The guidance states that a ‘reasonable fee’ can include the cost of staff time (at a reasonable rate), photocopying, printing, postage and any other costs in transferring the information to the individual. This includes the cost of equipment and supplies such as envelopes and USB sticks.

3) Stopping the clock when clarification of the SAR is required:

The starting point is that the employer must respond to a SAR without undue delay, and within one month of receiving the request. Under the new guidance, organisations can ask an individual to clarify what information they want of part of their SAR if they hold a large amount of information about the individual and it’s unclear what information the individual is requesting. An employer can potentially ‘stop the clock’ on the 30-day time limit for compliance with an SAR, if clarification is genuinely required and if the employer processes a large volume of information about that employee. We note that the time limit is paused only by the number of days it takes to clarify their request. It is not the case that the one-month time limit runs from the date the request is clarified. Employers would therefore be well advised not to delay seeking clarification.

The ICO has provided several useful examples, including examples of how to deal with the initial stages of a SAR and the relevant time limits. The full guidance can be found here.