The updated guidance provides clarification for employers as data controllers grappling with DSARs. In the ICO’s own words, it provides more support and clarification on “some aspects of the law that aren’t so clear cut”. We contributed to the ICO’s consultation and are pleased that the ICO has adopted at least some of our recommended changes, in particular on the issue of clarification / timescales (see below).
The guidance runs to 81 pages, and covers all aspects of the process of responding to DSARs. The ICO’s position on extending time due to complexity, carrying out searches of archived data and dealing with third party information are largely unchanged. However there are material developments for employers responding to employee DSARs as follows:
At the end of 2019, the ICO departed from its previous position and stated that the start of the one or three month time period for complying with a DSAR would no longer be delayed until a data controller receives clarification of a request. This position was reflected in the draft guidance produced for the purposes of consultation, and was considered controversial by many and potentially inconsistent with the GDPR Policy Template.
The new guidance offers a compromise in the form of a “stop the clock” mechanism where clarification of the DSAR is genuinely needed in order for the data controller to carry out a reasonable search. In these circumstances, the timescale for responding to the DSAR will be extended by the period taken for the data subject to provide the requested clarification.
So, for example, if a DSAR is submitted on 14 November, clarification is sought by the data controller on 16 November but this clarification is not provided by the data subject until 16 December, the data controller will benefit from an additional month to complete the response to the DSAR (as the clock stops between 16 November and 16 December).
Of course the data subject might respond very promptly, in which case the extension of time will be minimal. Should the data subject reply the same day, a data controller will not benefit from any extension of time.
The use of this mechanism is subject to a number of conditions in particular:
• A request for clarification should be made “as quickly as possible” (we would suggest within 3 working days).
• Clarification should be sought only where it is genuinely required in order to respond to the DSAR and where the controller processes a large amount of information security policy for small business.
When seeking clarification, you must highlight the fact the clock stops and will resume on the day the individual responds.
Data controllers need to ensure that any DSAR responses are reasonable and proportionate. However, a data controller may refuse to respond to a request, or part of it, if it can show the request is “manifestly unfounded or manifestly excessive.” The ICO has broadened the definition of a manifestly excessive DSAR so arguably more DSARs will be captured.
The guidance sets out that data controllers cannot have a blanket policy regarding this exception and must assess each DSAR on its facts.
Whether a DSAR is “manifestly excessive” turns on whether it is clearly or obviously unreasonable taking all the circumstances of the request into account. This will include:
the nature of the requested personal data including if it’s particularly sensitive;
• the context of the request, and the relationship between the data controller and the data subject request management;
• the resources available to the organisation weighing up the burden, including costs, involved;
• whether the DSAR largely repeats previous requests and a reasonable interval has not elapsed; or
• whether it overlaps with other requests.
In most cases data controllers cannot charge a fee for responding to a DSAR. However, a reasonable fee can be charged for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive or an individual requests further copies of their data following a request. A noted above an alternative is to refuse to comply with an excessive or unfounded request.
A reasonable fee may include the costs of:
Transferring the information to the data subject i.e. photocopying, printing, postage or providing access to an online platform
• Equipment and supplies such as USB devices
• Staff time charged at a reasonable hourly rate (there is no rate suggested for this)
The new “stop the clock” provision which applies when seeking clarification of a request is a welcome development for employers, given the difficulties of meeting a DSAR deadline when further details are needed to inform the search exercise. (Of course, it is not as generous as the position under the old Data Protection Act 1998 and also the ICO’s previous position under the GDPR cookie consent, further to which the clock would start only once clarification was provided). In practice, if clarification is needed, data controllers must act quickly, and we would suggest also commencing the search exercise in parallel, with a view to refining this exercise if and when the clarification is provided. It is also important to keep an accurate log of when DSARs are received, when clarification is requested and when it is provided to ensure that the response deadlines can be calculated correctly.