The Information Commissioner’s Office (ICO) has updated their guidance on Subject Access Requests (SAR). A Subject Access Request is where a person asks to see what data you hold on them.
This latest update clearly explains what both the GDPR and DPA expect from businesses when it comes to SARs, in that the time frame you have to respond to a request has changed and the term ‘manifestly unfounded or excessive’ has been clarified.
Regardless of the size of your business or the UK’s Brexit status; if you use, store or process personal information you need to take note of these changes and put them into practice within your business.
Responding to Subject Access Requests
While there has been no change to the length of time you have to physically respond to an SAR – this is still one month – there has been a change to the recognised start date of the SAR. The start of this period is now from the date of the request being raised, rather than the day after receipt of the request.
Unfounded Subject Access Requests
An unfounded request is one that you believe you should not have to fulfil as it is not genuine or otherwise questionable.
This is not a checkbox situation and will require you to assess and evidence your decision – explaining this decision to the individual making the request.
An unfounded request could involve instances of the following:
- someone attempting to gain a benefit or advantage by threatening to use their right of access
- someone attempting to harass an organisation or to cause disruption. For example:
- they have specifically stated that is their intention
- they have made unsubstantiated accusations against the business or an employee
- they have a personal grudge against the business or an employee
- they are sending systematic requests with the intention of causing disruption
Excessive Subject Access Requests
An excessive request is one that involves lots of work for your business, or a large amount of data being transferred to the requester.
As with unfounded requests, if you want to reject a SAR with this as a reason, you need to explain this to the requester, including evidence for that decision.
An excessive request could involve instances of the following:
- someone has previously made a manifestly unfounded or excessive request
- someone has repeated a previous request that is outside of a reasonable interval determined by:
- the nature of the data
- the purpose of the processing
- how often the data is modified
- someone has made a request that overlaps with another and:
- the requests are of a similar nature
- the requests refer to the same data
- someone has requested a large amount of information despite being asked to clarify why they require those details
Which pieces of guidance have been updated?
These changes affect the rights of the data subject and therefore the ICO’s guidelines have been updated. The rights affected by these changes are:
- Their right of access
- Their right to rectification
- Their right to erasure
- Their right to restrict processing
- Their right to data portability
- Their right to object
The ICO regularly review their guidelines in line with changes from the EU and industry changes. For a full list of modifications to their guidance, please review their What’s New page.