On 21st October 2020, the Information Commissioner’s Office (ICO) published detailed guidance for organisations on how to deal with subject access requests.
The full guidance is here – right of access detailed guidance
During the consultation period the ICO received over 350 responses from organisations of all sizes and sectors and as a result the ICO has confirmed the following:-
- Stopping the clock for clarification – in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
- What is a manifestly excessive request? – to combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance and broadened its definition. The guidance confirms this assessment requires the controller to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.
- What can be included when charging a fee for excessive, unfounded or repeat requests – the controller’s reasonable fee may include the costs of staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.