Citation ISO Certification
Get A Quote Atlas logo - Red capital A logoLogin 0333 344 3646
See what we're all about

Information Commissioner’s Office updates their Data Protection guidance

16.08.2019

2 min read

All Articles

By Topic

All Quality Environment Information Security Health & Safety Management Systems Management Reviews Business Advice All ISOs Audits Case Studies

Related Articles

Information security vs Cyber Security: Recognising the difference ISO 27001 v 27002: What’s the difference? How physical security controls help businesses protect information

The Information Commissioner’s Office (ICO) has updated their guidance on Subject Access Requests (SAR). A Subject Access Request is where a person asks to see what data you hold on them.

This latest update clearly explains what both the GDPR and DPA expect from businesses when it comes to SARs, in that the time frame you have to respond to a request has changed and the term ‘manifestly unfounded or excessive’ has been clarified.

Regardless of the size of your business or the UK’s Brexit status; if you use, store or process personal information you need to take note of these changes and put them into practice within your business.

Responding to Subject Access Requests

While there has been no change to the length of time you have to physically respond to an SAR – this is still one month – there has been a change to the recognised start date of the SAR. The start of this period is now from the date of the request being raised, rather than the day after receipt of the request.

Unfounded Subject Access Requests

An unfounded request is one that you believe you should not have to fulfil as it is not genuine or otherwise questionable.

This is not a checkbox situation and will require you to assess and evidence your decision – explaining this decision to the individual making the request.

An unfounded request could involve instances of the following:

  • someone attempting to gain a benefit or advantage by threatening to use their right of access
  • someone attempting to harass an organisation or to cause disruption. For example:
    • they have specifically stated that is their intention
    • they have made unsubstantiated accusations against the business or an employee
    • they have a personal grudge against the business or an employee
    • they are sending systematic requests with the intention of causing disruption

Excessive Subject Access Requests

An excessive request is one that involves lots of work for your business, or a large amount of data being transferred to the requester.

As with unfounded requests, if you want to reject a SAR with this as a reason, you need to explain this to the requester, including evidence for that decision.

An excessive request could involve instances of the following:

  • someone has previously made a manifestly unfounded or excessive request
  • someone has repeated a previous request that is outside of a reasonable interval determined by:
    • the nature of the data
    • the purpose of the processing
    • how often the data is modified
  • someone has made a request that overlaps with another and:
    • the requests are of a similar nature
    • the requests refer to the same data
  • someone has requested a large amount of information despite being asked to clarify why they require those details
You should also note that just because a request matches the above criteria, it is not necessarily an excessive request, especially if the time required to process the request is merely burdensome and there are no other reasons to not provide the information.

Which pieces of guidance have been updated?

These changes affect the rights of the data subject and therefore the ICO’s guidelines have been updated. The rights affected by these changes are:

  • Their right of access
  • Their right to rectification
  • Their right to erasure
  • Their right to restrict processing
  • Their right to data portability
  • Their right to object

Keep up-to-date

The ICO regularly review their guidelines in line with changes from the EU and industry changes. For a full list of modifications to their guidance, please review their What’s New page.

Sign up to get the latest in your inbox

    • Email address
Join Us

About the author

  • Name:

    Michelle-Louise Janion

  • Company:

    Marketing Executive

  • Bio:

    Michelle worked for Citation ISO Certification from 2017 to 2019, producing engaging content around ISO Standards and other compliance related topics.

Cookies

QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only