New ICO Guidance on Subject Access Requests
Introduction
The Information Commissioner’s Office (ICO), the UK’s data protection authority, has recently published updated guidance on an individual’s right to access their personal data. This OnPoint considers the key issues arising from the new guidance.
Under the General Data Protection Regulation (GDPR), data subjects can request copies of personal data that a data controller processes about them (commonly known as a ‘subject access request’). Whilst subject access requests have been a feature of data protection law for many years, the prominence of the GDPR and data privacy concerns more generally have resulted in increasing numbers of subject access requests being made. The ICO’s new guidance suggests that it expects a more pragmatic and business-friendly approach in certain areas. However, there are many issues that the ICO highlights as requiring a ‘case-by-case’ assessment and an evaluation of the particular circumstances. Responding to access requests will therefore continue to be nuanced, challenging for lots of businesses and, in many cases, contentious.
Key Takeaways
- Certain requests for information can be dealt with in the ordinary course of business, but staff should be able distinguish between run-of-the-mill enquiries and subject access requests that should be escalated and treated more formally.
- Organisations are required to carry out a reasonable search to retrieve the requested personal data. An organisation may have fully complied with its obligations even if it has not managed to retrieve every item of personal data within the scope of the subject access request.
- Under the new guidance, the time limit to respond to a subject access request is “paused” whilst the data controller is waiting for the data subject to clarify what information they want to receive. In addition, the ICO has provided more examples of scenarios that may justify extending the deadline to respond from one month to three months.
- The ICO suggests that a subject access request can be refused where it is “clearly or obviously unreasonable” in the relevant circumstances. This may provide greater scope for organisations to refuse to comply with excessive subject access requests than was assumed possible under the ICO’s previous guidelines.
- Data controllers can decide on a document-by-document basis whether to extract the relevant personal data to provide it to the data subject or whether to supply a copy of the full document (redacted as appropriate).
Recognising a subject access request
There are no formal requirements for a subject access request – it just needs to be clear that the individual is asking for their own personal data. However, the ICO recognises that individuals may also request information in the ordinary course of dealing with an organisation. The ICO suggests that a practical distinction should be made between routine enquiries and requests that should be formally treated as a subject access request. The ICO recommends considering on a case-by-case basis how to respond to requests. It is therefore important that members of staff are able to identify enquiries that might constitute subject access requests and to escalate the requests as appropriate. This is particularly important for staff who are more likely to be sent a subject access request (such as employees who regularly interact with the public or work in HR). Putting in place appropriate training and policies will be important to ensure that requests are handled appropriately.
Extent of the search for personal data
The ICO appears to have relaxed its position on the extent of the search that a data controller is required to carry out in order to find and retrieve personal data in response to a subject access request.
The new guidance acknowledges that a data controller is not necessarily expected to provide a copy of all personal data relating to the relevant data subject. Rather, the data controller is required to make reasonable and proportionate efforts to locate relevant personal data. The extent of the efforts required will depend on the particular circumstances.
This approach brings the ICO’s approach closer to the position adopted by the courts in pre-GDPR case law. It is a welcome concession, as finding every item of personal data would in many instances impose a disproportionate burden on the data controller (for example, where an employer holds many years of archived documents and emails relating to a former employee). However, it is important that organisations are able, if challenged, to justify the extent of their searches to the ICO and indeed the requester.
Clarifying a request and ‘stopping the clock’
According to the new guidance, if an organisation processes a large amount of information about an individual and it is not clear what information the individual is really seeking with their subject access request, it may be reasonable to ask for clarification. An example might be where an individual has asked for ‘all information you hold about me’.
Whether the volume of personal data held by an organisation receiving a data subject access request is sufficiently large to justify seeking clarification from the requester should be assessed in the context of the size of the organisation that receives the request and the resources it has to deal with the request. The ICO’s guidance suggests that organisations will often process a sufficiently large volume of personal data about employees to meet this threshold unless the request has a limited scope.
The ICO suggests that it may be in the interests of both parties to narrow the scope of the subject access request. Otherwise there is a greater risk that the data controller’s reasonable search will not retrieve all of the information that the data subject is particularly interested in.
The ICO’s previous position was that requests for clarification would not alter the deadline to respond. However, according to the new guidance, once a request for clarification is made, the time limit to respond is paused until the requested clarification is received. The time period is only paused, not reset, so it is important to make any requests for clarification in a timely manner.
Extensions of time for complex cases
In complex cases data controllers can extend the one-month time limit to provide the relevant data by two further months, if necessary. The ICO’s guidance makes clear that the complexity of requests should be considered on a case-by-case basis, taking into account the specific circumstances. However, the ICO suggests new factors that can render a subject access request more complex and can therefore help justify an extension.
According to the ICO, a request is not complex merely because it involves a large volume of information. However, the fact that there is a large volume of information at issue is relevant and may make the request complex when there are other complicating factors, such as a need to obtain specialist legal advice or extract personal data that is co-mingled in documents that also contain other information.
Subject access requests can often arise in the context of other legal disputes, particularly employment disputes, as a means of obtaining documents relevant to the dispute without being restricted by the normal disclosure processes and in order to impose a burden on the other party. In these circumstances, issues of personal data being included in legally privileged material or mixed with sensitive information can be particularly prevalent and the need to analyse materials from this perspective is likely to increase the complexity of the request and make an extension more justifiable.
Refusing to comply – excessive and unfounded requests
The GDPR permits data controllers to refuse to comply with a subject access request (or charge a fee) if it is “manifestly unfounded or excessive”.
The ICO’s guidance suggests that the data subject’s intention can be relevant to assessing whether a subject access request is unfounded, such as where the request is malicious and is being used to harass an organisation with no real purpose other than to cause disruption.
The ICO has substantively changed its approach to excessive subject access requests. For an organisation to refuse to comply with a subject access request on this ground, the ICO considers that the request must be “clearly or obviously unreasonable” based on whether the request is “proportionate when balanced with the burden of costs involved in dealing with the request” and “taking into account all the circumstances of the request”. This is a more business-friendly approach than the previous draft guidance that suggested that requests were only likely to be excessive where they were duplicative of prior requests.
Refusing to comply with a subject access request is likely to be contentious and organisations should ensure that they are able justify their position to the requester and to the ICO if necessary.
Should the data controller provide copies of the personal data or copies of documents containing the personal data?
It is important to note that data subjects are entitled to copies of their personal data, but not necessarily copies of the documents in which the data is found.
In practice, where an individual’s personal data is included in documents that also cover other information, a decision needs to be made as to whether to (a) extract the relevant personal data from the document, or (b) provide a copy of the document itself. The process of extracting personal data from documents can be time-consuming. However, if the documents contain other information that cannot be disclosed or that the data controller is reluctant to disclose, the process of redacting documents to remove such information can also be arduous.
The ICO’s guidance envisages that organisations can take a mixture of the two approaches. For example, the ICO suggests that where the data subject has been cc’d on emails, it may be appropriate to provide a copy of the relevant email address and tell the data subject that their email address is included in a certain number of emails (rather than providing a copy of each email). However, where the content of an email is about the data subject it may be more appropriate to provide a copy of the email itself (redacted as appropriate to remove other information).
Third party information
Generally, information about other individuals should not be provided to the data subject that has made the subject access request (e.g. it should be redacted from the disclosed documents).
However, the position is more complicated if a piece of information is the personal data of two individuals (e.g. the fact that Noel has a tempestuous relationship with Liam is personal data of Noel and personal data of Liam). In this circumstance the relevant information should only be provided in response to a subject access request if it is reasonable to do so (or with the other individual’s consent). The ICO’s new guidance emphasises that the data controller must decide whether disclosure of the information is reasonable considering all of the relevant circumstances, but if there is a duty of confidentiality to the other individual, the information should generally not be provided.
Conclusions
The ICO’s draft guidance on subject access requests was put to public consultation earlier in the year. The final version suggests that it has taken on board organisations’ concerns on various issues. The new guidance is more pragmatic in a number of areas and shows a greater appreciation for the significant burden that subject access requests can impose upon businesses. The ICO has indicated that it is legitimate to take into account an organisation’s resources and the likely cost burden of addressing a subject access request. However, the ICO is unlikely to attribute particular weight to these factors if an organisation is under-resourced or faces additional costs, because of a failure to implement adequate information management systems and procedures or to otherwise prepare for handling subject access requests.
Subject access requests can be enforced by the ICO and through the courts. The ICO has significant enforcement powers including the ability to impose substantial fines. However, it should be noted that it is obliged to act proportionately. A data subject may also seek to enforce a subject access request in court. Even if an organisation has failed to comply with a subject access request, it is at the court’s discretion whether to order compliance. A court may also award damages to compensate a data subject for the data controller’s non-compliance. Damages for breach of the GDPR is a developing area of law and the approach that a court might taking to assessing damages for non-compliance with a subject access request is still developing.
It is important to take a considered and strategic approach to requests for clarification, extensions of time and the extent of searches in order to comply in an efficient and effective way. These issues may be interrelated. For example, if a subject access request is narrowed following a request for clarification, the ICO might consider it reasonable for the search of that narrowed scope to be more granular than a search of the full scope of the initial request.
Whilst this revised guidance is generally good news for organisations receiving subject access requests, they should nonetheless consider whether they need to revisit their protocols and internal procedures in relation to the treatment of data subject access requests to ensure their effective management and minimise the risk of time-consuming and costly disputes and complaints to the ICO.