In response to a consultation process, the Information Commissioner's Office (ICO) has updated its guidance on the right of access under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
The updates to the guidance aim to provide clarity on some of the main areas that can cause confusion for organisations who receive a subject access request (SAR), including clarifying the distinction between 'routine requests' and SARs and a reminder that SARs can be made via social media. We have summarised three areas of interest below:
Time Limits for Response
In certain circumstances, where a SAR is unclear or broad ranging (for example a request for "everything your organisation holds about me"), you are permitted to ask the requester to clarify the scope of their request, to assist you in locating the information which they are seeking. Whilst you are waiting for a response to this request the period of time available to respond to a SAR (usually one month) can be paused, pending receipt of clarification from the individual.
The ICO guidance gives an example of a supermarket who receives a SAR from a long-standing employee: "Until the supermarket receives clarification, they will be unable to perform a reasonable search, or provide a copy of the information, as they do not know what information the request relates to."
The ICO has stated that organisations should not routinely seek clarification on a blanket basis, the information should be genuinely required to enable your organisation to respond to a SAR. Before seeking clarification you must be satisfied that you hold a large amount of information about the individual, and that it is not clear (from the original request) what information they are seeking.
The ICO guidance also confirms that, if an employer requests clarification, it may extend the time limit to respond by the number of days that the clock was stopped whilst the clarification was awaited.
As you may be aware, the GDPR permits organisations to extend the period for its response to a SAR by a period of up to a further two months, where the request is complex. The ICO has developed the guidance about what might indicate a "complex" request. The updated SAR guidance now states that taking specialist legal advice or having to consult with a health professional (among other factors) could indicate that a request meets the threshold of being complex.
Failure of the Requester to Engage
The guidance also provides clarity on what happens to requests where the requester has failed to engage with your organisation, for example by refusing to provide ID or respond to a clarification request. In these circumstances you may close the SAR after one month, but this is not a hard and fast deadline, and you should exercise judgement about what a reasonable period of time would be, given the context of the request and requester.
Determining Manifestly Excessive SARs
Organisations may refuse to respond to SARs that are manifestly excessive. Further detail has been given to assist organisations when assessing whether a SAR is manifestly excessive. The ICO recommends taking all the circumstances of the SAR into account and using those factors to determine whether the necessary response is proportionate when balanced with the burden or costs involved in dealing with the SAR.
Employers should still treat this provision with caution, as the threshold for "excessive" remains relatively high, and we consider that it is unlikely to apply to the vast majority of SARs received. Furthermore, a request will not necessarily be considered excessive simply because a large amount of information has been requested. Employers should consider asking for clarification from the requester as set out above.
An exemption that is widely and commonly used by employers when dealing with requests from employees is the confidential references exemption, which permits employers to withhold references (either received or given) in certain circumstances. The updated guidance explains that organisations should make it clear in their privacy notices whether references will be treated as confidential or otherwise. The ICO is recommending a policy of openness in relation to references as a preferable approach.
You may want to review your organisation's staff privacy notice, to ensure that it covers the treatment of references and that this reflects the approach that you take in practice. If your preference is to withhold references in response to a SAR then you should make it clear in the notice that references will be treated confidentially.
It is essential that organisations respond to SARs correctly. An employer should ensure the process of responding to a request, including seeking and obtaining clarification, is quick and efficient - waiting until the last minute before making a request for further information could make it difficult for you to meet the deadline, as the clock only stops after you have made the request for information. This may in turn give rise to complaints being made to the ICO.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.