Subject access request timescales – New guidance from the ICO
Subject access request timescales – New guidance from the ICO
The ICO has updated its guidance around how long an organisation has to respond to a subject access request (SAR) following a Court of Justice of the European Union (CJEU) ruling.
The guidance previously stated that SARs must be responded to within one calendar month, with the day after receipt counting as ‘day one’.
This has now changed.
‘Day one’ is now the day of receipt – for example, a SAR received on 3 September should now be responded to by 3 October. You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
The ICO has also updated its guidance on the meaning of ‘manifestly unfounded’ and ‘excessive’. You will know already that a data controller can also refuse to comply with a subject access request if it is:
- manifestly unfounded; or
- excessive.
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy. You must also be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against you or specific employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.
What does excessive mean?
A request may be excessive if:
- it repeats the substance of previous requests and a reasonable interval has not elapsed; or
- it overlaps with other requests.
However, it depends on the particular circumstances. It will not necessarily be excessive just because the individual:
- requested a large amount of information, even if you might find the request burdensome. Instead you should consider asking them for more information to help you locate what they want to receive;
- wanted to receive a further copy of information they have requested previously. In this situation a controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;
- made an overlapping request relating to a completely separate set of information; or
- previously submitted requests which have been manifestly unfounded or excessive.
When deciding whether a reasonable interval has elapsed you should consider:
- the nature of the data – this could include whether it is particularly sensitive;
- the purposes of the processing – these could include whether the processing is likely to cause detriment (harm) to the requester if disclosed; and
- how often the data is altered – if information is unlikely to have changed between requests, you may decide you do not need to respond to the same request twice. However, if you have deleted information since the last request you should inform the individual of this.
What should we do if we refuse to comply with a request?
You must inform the individual without undue delay and within one month of receipt of the request.
You should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
If you have any questions relating to how to respond or deal with a subject access request – please contact the GDPR team at Paris Smith.