Following its consultation, which ended in February this year, the ICO has published new detailed guidance on responding to DSARs under the General Data Protection Regulation 2018 (GDPR). To view our earlier alert about the draft guidance issued as part of the consultation click here.
The updated guidance provides clarification for employers as data controllers grappling with DSARs. In the ICO’s own words, it provides more support and clarification on “some aspects of the law that aren’t so clear cut”. We contributed to the ICO’s consultation and are pleased that the ICO has adopted at least some of our recommended changes, in particular on the issue of clarification / timescales (see below).
The guidance runs to 81 pages, and covers all aspects of the process of responding to DSARs. The ICO’s position on extending time due to complexity, carrying out searches of archived data and dealing with third party information are largely unchanged. However there are material developments for employers responding to employee DSARs as follows:
1) Clock stops while clarifying the DSAR
At the end of 2019, the ICO departed from its previous position and stated that the start of the one or three month time period for complying with a DSAR would no longer be delayed until a data controller receives clarification of a request. This position was reflected in the draft guidance produced for the purposes of consultation, and was considered controversial by many and potentially inconsistent with the GDPR.
The new guidance offers a compromise in the form of a “stop the clock” mechanism where clarification of the DSAR is genuinely needed in order for the data controller to carry out a reasonable search. In these circumstances, the timescale for responding to the DSAR will be extended by the period taken for the data subject to provide the requested clarification.
So, for example, if a DSAR is submitted on 14 November, clarification is sought by the data controller on 16 November but this clarification is not provided by the data subject until 16 December, the data controller will benefit from an additional month to complete the response to the DSAR (as the clock stops between 16 November and 16 December).
Of course the data subject might respond very promptly, in which case the extension of time will be minimal. Should the data subject reply the same day, a data controller will not benefit from any extension of time.
The use of this mechanism is subject to a number of conditions in particular:
• A request for clarification should be made “as quickly as possible” (we would suggest within 3 working days).
• Clarification should be sought only where it is genuinely required in order to respond to the DSAR and where the controller processes a large amount of information.
• When seeking clarification, you must highlight the fact the clock stops and will resume on the day the individual responds.
The guidance also makes clear that a data controller can still ask about the context in which the information may have been processed and likely dates of processing as part of the clarification request. However, a data subject remains entitled to ask for “all the information held” and, if they refuse to provide any further information, the correct response from the data controller is to carry out a reasonable search.
Finally, in an interesting addition, the guidance notes that there is no obligation to seek clarification, and that a data controller might choose instead to perform a reasonable search. Of course this will be a judgment call to be taken based on the terms of the DSAR and the ability to carry out a search without the benefit of clarification.
2) Manifestly excessive requests clarified
Data controllers need to ensure that any DSAR responses are reasonable and proportionate. However, a data controller may refuse to respond to a request, or part of it, if it can show the request is “manifestly unfounded or manifestly excessive.” The ICO has broadened the definition of a manifestly excessive DSAR so arguably more DSARs will be captured.
The guidance sets out that data controllers cannot have a blanket policy regarding this exception and must assess each DSAR on its facts.
Whether a DSAR is “manifestly excessive” turns on whether it is clearly or obviously unreasonable taking all the circumstances of the request into account. This will include:
• the nature of the requested personal data including if it’s particularly sensitive;
• the context of the request, and the relationship between the data controller and the data subject;
• the resources available to the organisation weighing up the burden, including costs, involved;
• whether the DSAR largely repeats previous requests and a reasonable interval has not elapsed; or
• whether it overlaps with other requests.
In determining whether a reasonable interval has elapsed data controllers need to consider how often the data is altered.
Requesting a large amount of information in itself will not make a DSAR manifestly excessive.
A DSAR may be “manifestly unfounded” if the individual clearly has no intention to exercise their right of access or the request is malicious.
The use of manifestly in these concepts means there must be an obvious or clear quality to the unfoundedness/excessiveness. Data controllers will need a strong justification for this and be able to explain this both to the data subject and if needs be the ICO. Data controllers are cautioned against presuming a DSAR is manifestly excessive or unfounded simply because a prior DSAR met this test. Each DSAR must be assessed on its own merits.
3) Charging for excessive, unfounded or repeated DSARS
In most cases data controllers cannot charge a fee for responding to a DSAR. However, a reasonable fee can be charged for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive or an individual requests further copies of their data following a request. A noted above an alternative is to refuse to comply with an excessive or unfounded request.
A reasonable fee may include the costs of:
• Transferring the information to the data subject i.e. photocopying, printing, postage or providing access to an online platform
• Equipment and supplies such as USB devices
• Staff time charged at a reasonable hourly rate (there is no rate suggested for this)
The costs must be explained clearly to the data subject. The guidance states there is no need for data controllers to publish the criteria for charging fees online but the fees should be clear, concise and accessible, and charged in a consistent manner. Any fees should be capable of justification should a complaint be made to the ICO.
What does this mean for employers?
The new “stop the clock” provision which applies when seeking clarification of a request is a welcome development for employers, given the difficulties of meeting a DSAR deadline when further details are needed to inform the search exercise. (Of course, it is not as generous as the position under the old Data Protection Act 1998 and also the ICO’s previous position under the GDPR, further to which the clock would start only once clarification was provided). In practice, if clarification is needed, data controllers must act quickly, and we would suggest also commencing the search exercise in parallel, with a view to refining this exercise if and when the clarification is provided. It is also important to keep an accurate log of when DSARs are received, when clarification is requested and when it is provided to ensure that the response deadlines can be calculated correctly.
The revised guidance on manifestly excessive or unfounded DSARs, and also on the circumstances in which a fee can be charged, is helpful but we expect it will remain a rare case in which an employer can justify relying upon these provisions in the context of an employee DSAR (and particularly so if the DSAR is submitted in the context of wider litigation relating to discrimination or whistleblowing).
The ICO has also said it is planning a suite of further resources which we shall watch out for.