Recently (October 2020) there was new guidance, which dictates their ruling, issued by the Information Commissioner's Office regarding Subject Access Requests. In this series of blogs I will be taking a look at what this means for individuals rights and businesses' responsibilities.
How should an organisation respond to a request?
You should comply with a request for information immediately. There can be no 'undue delay' and in all normal circumstances you have one month from receipt of the request to reply. However, if the request is complex, or there are multiple requests from an individual in regards to their access then this 'can' be extended by a further two months. You should respond as quickly as possible with information relating to how long the request will take to process.
If you have a significant amount of data that you process on an individual it is possible to request that they specify what information, or process their request relates to if this is not clear. You can't refuse to release data that is requested, but you can clarify a request.
The time limit for responding is paused between your request for further clarification and their reply, however you should attempt to supply any supplementary information, or clear requests within the one month time limit.
Can we ask the to prove who they are?
You should always be satisfied that you know the identity of who is requesting the information. If they are acting on behalf of another person then their rights to do so should be proved and you are within your rights to ask for such proof. You can request the same level of identification from the requester or from someone acting on behalf of a data subject.
Always be prompt in your responses, and be clear what identification you require. Any SAR timeframe can be paused until you receive correct documentation to ensure the legality of the request and the identification of the individual. The process of proving identity should not be onerous or designed to deter or avoid a SAR.
Can I charge for a SAR?
A SAR is normally done at no cost to the person requesting, therefore you should not, normally, charge for the service as it is a legal requirement.
However, there are circumstances where you might be able to charge a 'reasonable fee'. These are when the request is manifestly unfounded or excessive in scope, or there are multiple exact requests from the same individual after data has been supplied, or for copies of the data.
You can contact the ICO for more guidance on charging a fee.
Finding their data
It is expected that you make a reasonable effort to retrieve all the data that you hold on an individual and supply it to them. But: * if there is little data * or that data does not relate to their request * is disproportionate in regards to amount of effort to retrieve the data versus the relative importance
Then you might be entitled to refuse any costly endeavour.
At all times try to keep clear communication with whomever requested the information and inform them of any decision you have made. It is important to balance the cost of any search against the importance of the data you hold, but you may not refuse to inform a requestor of what data, or type of data, you hold on them.
In the next article we are going to look at how to supply the information requested, and what to do if you think the request should be refused.
For detailed guidance on SAR visit the ICO website. There are detailed guides on: how to supply information.
[Don't forget that you can join in this conversation by tweeting at @shadowcat_mdk].