The Information Commissioner's Office (ICO) has published detailed guidance on how employers should deal with a subject access request (SAR). Aimed at data protection officers and those with specific data protection responsibilities in larger organisations, it discusses the right of access in detail and is intended to supplement the information set out in the Guide to Data Protection.
SARs have historically been a common cause of sleepless nights for employers because of a fear of not dealing with a request properly so this more detailed guidance is extremely welcome. It has been produced following a process of consultation which highlighted a desire for additional content and examples and more support and clarification on some aspects of the law that were not clear cut.
In particular, the guidance covers how to deal with:-
- SARs where the employer needs clarification of exactly what it is the person making the request (the "requester") is seeking and this results in not enough time being left to then respond within the 30 day time limit for compliance. Where the clarification is genuinely needed and the organisation processes a lot of information about the employee the "clock" on the 30 day time limit may, in some circumstances, be stopped while organisations wait for the requester to respond.
- What a manifestly excessive request is. In some circumstances an organisation can refuse to comply with a SAR either because an exemption applies or the request is manifestly unfounded or manifestly excessive, but when a request becomes manifestly excessive can be difficult to identify. The guidance explains that assessing this means considering whether the request is proportionate when balanced with the burden or costs involved in dealing with the request and sets out a list of the factors that should be included in that consideration.
- What can be included when charging a fee for excessive, unfounded or repeat requests. Instead of refusing to comply with a manifestly excessive or unfounded request, organisations can choose to charge a "reasonable fee". The guidance provides details on what can be taken into account when determining a reasonable fee and gives examples of what costs can be included, such as staff time as well as stationary and other equipment and supplies used when responding.
Common issues such as handling information about individuals other than the requester is also covered, as is advice regarding the various exemptions that are available. Special rules about SARs and certain types of personal data including health data, credit files, social work data and unstructured manual records are also covered.
SARs can be time consuming and, at times, frustrating to comply with and this additional guidance will be welcomed, particularly by organisations who deal with multiple requests. For smaller organisations the ICO has stated that further resources are planned including simplified guidance for small businesses.