On October 21, 2020, following a consultation that began in December 2019 (which we will refer to as the “New Guidelines”), the ICO released its detailed Guidelines on Requests for Access to Specific Issues (“SARs”).
A SAR is an individual’s request for a copy of their personal information. For employers, SARs can become a time-consuming and expensive exercise.
While the new guidance doesn’t change the underlying law, it does provide employers with some useful guidance that should serve to simplify and clarify how to respond to SARs. We have summarized the most important points below.
Stop the clock
According to the GDPR, those responsible for processing must respond to SARs “immediately and in any case within one month of receiving the request”. So far, no provision has been made to extend the period during which the data controller asked the data subject to clarify their request.
The new guidance provides that the clock can be paused while organizations wait for the requester to resolve their request. The deadline for answering is the same time that the applicant needs for clarification. This gives the controllers, especially employers, who are asked to deal with an ambiguous or overly broad SAR the much-needed flexibility.
However, this is not a time-saving provision for all SARs as it is clear in the new guidelines that clarification should only be sought if it is really necessary to respond to the SAR and when large amounts of data are processed about the inquirer . It is therefore unlikely that this “stop the clock” option could be used to extend the timeline for responding to an SAR, where the requested information can be quickly and easily accessed and provided.
However, this change is likely to be welcomed by employers who will be able to stop the clock when it comes to ambiguous or broad SARs.
Another helpful addition in the new guidance is to broaden the definition of what constitutes an “obviously excessive” request. According to the new guidelines, controllers should base their assessment of a SAR on the proportionality of the application, when considering the burden or costs associated with the rights of the applicant. First and foremost, organizations need to assess whether a request is “clearly or obviously” inappropriate. It is clear from the new guidance that this means taking into account all the circumstances of the request, including the type of information requested, the relationship with the applicant, the resources available, the potential impact of not providing the information, and whether the request is there duplicates a previous request or overlaps with other requests. The ICO urges organizations to take into account that just because the person is requesting a large amount of information, a request is not necessarily excessive.
The ICO suggests that organizations should consider the nature of the data and the frequency of data changes when assessing whether a SAR is manifestly excessively high. Each SAR needs to be considered individually so that no blanket guideline is applied and organizations are warned not to make assumptions based on previous inquiries from the same person. The ICO puts emphasis on the word “obvious” and suggests that organizations must have strong justifications for concluding that a request is excessive. This will set a high bar in practice and each case should be decided on its own facts.
Finally, the ICO has updated its guidance on what organizations can consider when charging an administrative fee for a manifestly unsubstantiated or excessive request. In determining a reasonable fee, the ICO will determine the activities that controllers can charge for and warn of duplicate fees if those activities overlap. The new guidance notes that the administrative costs of evaluating, locating, retrieving, extracting and copying the information, as well as the time it takes to submit your response, can be taken into account when determining a fee. It follows that a reasonable fee may consist of the direct cost of processing the data (such as copying, printing, or mailing) and the cost of equipment or consumables required to respond to the SAR. This may also include staff time recommended by the ICO based on the estimated time it will take for staff to comply with the specific request, charged at a reasonable hourly rate.
The new guidelines encourage controllers to set unbiased criteria for charging, explaining when a charge is made, a breakdown of standard charges and details of how a charge is calculated. These criteria can then be made available to the data subjects or the ICO as required.
Since the introduction of the GDPR, more people, particularly in their capacity as workers, have become aware of their rights as a data subject, and organizations have seen an increasing number of SARs. These new guidelines and their more flexible and comprehensive approach to SARs are well received by employers.
We encourage employers to start setting their fee policies so that you are well prepared for future inquiries. If you need help setting up fee collection criteria or guidelines, we can help.