Press enter to search, esc to close
Late last year, the ICO’s new guidance emphasised the significance of the right of access to individuals in an increasingly digital world (particularly during the Covid-19 pandemic). It also highlighted the importance for organisations to have effective and efficient policies and procedures for handling SARs. This is relevant to all organisations that process personal data (controllers that must comply with the SAR requirements in the GDPR and DPA 2018, and processors that may have to help their controller customers comply).
An individual data subject has the right to find out whether a data controller is processing their personal data. If the answer is ‘yes’, that individual has a right to access the personal data and other comprehensive information regarding the processing conducted by the data controller. Data processors that process personal data on behalf of data controllers may need to assist data controllers in complying with SARs.
IPs handle significant quantities of personal data. Some of this data will have been retained by the insolvent company before liquidation (such as employee and customer databases). In this situation, a liquidator is the company's agent and does not become the principal in the company’s place (and is therefore classed as the data processor).
However, the position is different for data processed by a liquidator itself. This could be data arising from the employment of staff post liquidation, for example, which would make the liquidator the data controller. This also includes data relating to an IP’s office (for example, creditor and debtor information).
So, depending on the circumstances, IPs may be controllers or processors of personal data under data protection law. For this reason, it is important that IPs are aware of the requirements relating to SARs and, in particular, the latest guidance from the ICO.
On 21 October 2020, the ICO published new detailed SARs guidance with the aim of simplifying and clarifying various elements of subject access requests.
The new guidance discusses the right of access in detail and looks to give practical examples and advice.
As identified during the consultation process, the following areas of SARs were given particular focus by the ICO:
If you hold a large amount of information and it is not clear what specific information the individual is requesting, or if it is genuinely unclear whether an individual is making a SAR, you can seek clarification from the data subject. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. However, do be aware that if clarification is provided on the same day as the request, this does not stop the clock.
Here is an example:
If you receive a request on 14 May, the time limit starts from the same day. You will have one month to reply, which means you should respond by or on 14 June.
However, if you ask for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the requester provides you with clarification on 18 May, the timing will resume on that date.
In this instance, the clock stopped from 15 May until 18 May. This means that you can extend the original one-month deadline by three days and you should provide a response by or on 17 June.
This process will effectively give you longer to respond to SARs if the requester is not being responsive to your requests for further information. Nonetheless, the emphasis is still on you to act diligently, and if a requester responds and either repeats their request or refuses to provide any additional information, you must still comply with their request by making reasonable searches for the information. If you do not receive any response, you may ‘close’ the request after a reasonable period.
In cases where you need ID to verify the identity of the requester, the timescale for responding to a SAR does not begin until you have received the information you’ve asked for.
This concept has been broadened. It now gives organisations greater scope to refuse to respond to such requests.
Each request must be dealt with individually and consider:
The ICO has made it clear that organisations can take into consideration the cost of staff time to respond to these requests. As such, it has provided high level guidance on how to quantify these costs, stating that you can take the administrative costs of the following into consideration:
You cannot ‘double-charge’ if these activities overlap.
The ICO also suggests that a reasonable fee may include the costs of:
As of yet, there is no regulatory guidance on the limits to any fees that you charge, but you should act responsibly and charge a reasonable, proportionate and consistent rate.
If you choose to charge a fee, you do not need to comply with the request until you have received the fee.
In addition to the above clarifications, here are a few other points from the guidance worth flagging:
Although a lot of the guidance in this newest version will be familiar to IPs, the ICO was keen to highlight that it has taken on board calls from organisations during the consultation period to provide more clarification on some of the more ambiguous aspects of the SAR requirements.
The ICO also confirmed that it is looking to provide extra support by planning a suite of resources. One of these will be a simplified SAR guide for small businesses, which aims to set out the key ‘need-to-knows’ from the detailed guidance.
For legal assistance in meeting your data compliance requirements, contact Ed Hayes.
22 February 2021
Insights 19 MAY 2022