ICO's detailed guidance on the right of access

Late last year, the ICO’s new guidance emphasised the significance of the right of access to individuals in an increasingly digital world (particularly during the Covid-19 pandemic). It also highlighted the importance for organisations to have effective and efficient policies and procedures for handling SARs. This is relevant to all organisations that process personal data (controllers that must comply with the SAR requirements in the GDPR and DPA 2018, and processors that may have to help their controller customers comply).

ICO data processing rules overview

An individual data subject has the right to find out whether a data controller is processing their personal data. If the answer is ‘yes’, that individual has a right to access the personal data and other comprehensive information regarding the processing conducted by the data controller. Data processors that process personal data on behalf of data controllers may need to assist data controllers in complying with SARs.

IPs handle significant quantities of personal data. Some of this data will have been retained by the insolvent company before liquidation (such as employee and customer databases). In this situation, a liquidator is the company's agent and does not become the principal in the company’s place (and is therefore classed as the data processor).

However, the position is different for data processed by a liquidator itself. This could be data arising from the employment of staff post liquidation, for example, which would make the liquidator the data controller. This also includes data relating to an IP’s office (for example, creditor and debtor information).

So, depending on the circumstances, IPs may be controllers or processors of personal data under data protection law. For this reason, it is important that IPs are aware of the requirements relating to SARs and, in particular, the latest guidance from the ICO.

Latest ICO guidance

On 21 October 2020, the ICO published new detailed SARs guidance with the aim of simplifying and clarifying various elements of subject access requests.

The new guidance discusses the right of access in detail and looks to give practical examples and advice.

As identified during the consultation process, the following areas of SARs were given particular focus by the ICO:

Allowing further time if clarification on a request is sought

If you hold a large amount of information and it is not clear what specific information the individual is requesting, or if it is genuinely unclear whether an individual is making a SAR, you can seek clarification from the data subject. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. However, do be aware that if clarification is provided on the same day as the request, this does not stop the clock.

Here is an example:

If you receive a request on 14 May, the time limit starts from the same day. You will have one month to reply, which means you should respond by or on 14 June.

However, if you ask for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the requester provides you with clarification on 18 May, the timing will resume on that date.

In this instance, the clock stopped from 15 May until 18 May. This means that you can extend the original one-month deadline by three days and you should provide a response by or on 17 June.

This process will effectively give you longer to respond to SARs if the requester is not being responsive to your requests for further information. Nonetheless, the emphasis is still on you to act diligently, and if a requester responds and either repeats their request or refuses to provide any additional information, you must still comply with their request by making reasonable searches for the information. If you do not receive any response, you may ‘close’ the request after a reasonable period.

In cases where you need ID to verify the identity of the requester, the timescale for responding to a SAR does not begin until you have received the information you’ve asked for.

When is a request ‘manifestly excessive’?

This concept has been broadened. It now gives organisations greater scope to refuse to respond to such requests.

Each request must be dealt with individually and consider:

• the nature of the requested information;
• the context of the request, and the relationship between you and the individual;
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
• your available resources;
• whether the request largely repeats previous requests, and a reasonable interval hasn’t elapsed (taking into account the nature of the data and how often you alter it); or
• whether it overlaps with other requests (although if it relates to a separate set of information it is unlikely to be excessive).

What can businesses include in the admin fee when charging for excessive, unfounded or repeat requests?

The ICO has made it clear that organisations can take into consideration the cost of staff time to respond to these requests. As such, it has provided high level guidance on how to quantify these costs, stating that  you can take the administrative costs of the following into consideration:

• assessing whether or not you are processing the information;
• locating, retrieving and extracting the information;
• providing a copy of the information; and
• communicating the response to the individual, including contacting the individual to inform them that you hold the requested information (even if you are not providing the information).

You cannot ‘double-charge’ if these activities overlap.

The ICO also suggests that a reasonable fee may include the costs of:

• photocopying, printing, postage and any other costs involved in transferring the information to the individual (e.g. the costs of making the information available remotely on an online platform);
• equipment and supplies (e.g. discs, envelopes or USB devices); and
• staff time.

As of yet, there is no regulatory guidance on the limits to any fees that you charge, but you should act responsibly and charge a reasonable, proportionate and consistent rate.

If you choose to charge a fee, you do not need to comply with the request until you have received the fee.

Other useful tips:

In addition to the above clarifications, here are a few other points from the guidance worth flagging:

• SARs can be made via social media if your organisation has such a presence. However, it is unlikely that you will respond via the same means of communication and you may therefore need to ask for an alternative delivery address for your response;
• Requests can be made by a third party on the individual’s behalf. There is more detail surrounding the required authorities and the direction of responses here;
• Controllers are not obliged to take proactive steps to discover that an SAR has been made. Therefore, if you cannot view an SAR (on an online portal, for example) without paying a fee or signing up to a service, you have not ‘received’ it and are not obliged to respond;
• Guidance on requests for information about children or young people. A reasonable starting point is that a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown;
• The report sets out examples of factors that may, in some circumstances, add to the complexity of a request;
• An SAR made as part of a bulk request has the same legal status as an individual making an SAR. As such, you must consider each SAR within a bulk request individually and respond appropriately (and within the usual timescales);
• Retrieving electronic data includes recovering archived information and back-up records, emails, information stored in different locations, data held in big datasets and sometimes data held on staff’s personal equipment, but it does not include deleted/discarded information.

Conclusion:

Although a lot of the guidance in this newest version will be familiar to IPs, the ICO was keen to highlight that it has taken on board calls from organisations during the consultation period to provide more clarification on some of the more ambiguous aspects of the SAR requirements.

The ICO also confirmed that it is looking to provide extra support by planning a suite of resources. One of these will be a simplified SAR guide for small businesses, which aims to set out the key ‘need-to-knows’ from the detailed guidance.

For legal assistance in meeting your data compliance requirements, contact Ed Hayes.