Press enter to search, esc to close
The publication of the guidance follows the ICO’s December 2019 consultation. The ICO has said it also plans to publish a more focused version of the guidance for small businesses.
Responding to DSARs has become an increasingly costly and cumbersome requirement for organisations. And while the guidance does not go as far as some respondents to the consultation hoped to make things easier for data controllers, it does include welcome changes. The key developments are the right to ‘stop the clock’ when seeking clarifications, additional guidance on identifying ‘manifestly excessive’ or ‘manifestly unfounded’ requests, and guidance on fees for dealing with excessive or unfounded requests
The guidance gives organisations the right to ‘stop the clock’ on the response deadline in some situations. If an organisation holds a large amount of information and it is not clear what information an individual is requesting, or where it is genuinely unclear whether an individual is making a DSAR, the organisation can seek clarification. The guidance says the deadline for responding extends for the same amount of time as the requester takes to provide the clarification.
This helps organisations avoid the double jeopardy of having an approaching deadline but not enough information to provide a meaningful, focused reply. However, if an individual responds and either repeats their original request or refuses to provide any additional information, an organisation still has an obligation to act diligently, and should make reasonable searches based on the information provided, to reply. But if an individual does not reply at all an organisation can ‘close’ the DSAR without replying further after a reasonable period of time.
Organisations have always been able to reject ‘manifestly’ excessive or unfounded DSARs. The new guidance gives more direction on when a DSAR falls into those categories.
In both cases the starting point is that an organisation must consider a request on its own merits, and avoid a blanket approach.
The guidance gives examples of manifestly unfounded requests, including those which show no intention of exercising the right (e.g. requesting payment to withdraw a request), those which are malicious in their intent or harassing (e.g. making unsubstantiated allegations, targeting an employee, or bombarding different parts of an organisation with requests to cause disruption).
To decide if a request is manifestly excessive an organisation needs to decide whether it is clearly or obviously unreasonable. It should base that assessment on whether the DSAR is proportionate when balanced with the burden or costs involved. This assessment should take into account:
The guidance points out that a DSAR is not necessarily excessive just because a requester asks for a large amount of information, and that an organisation should consider asking the requester for more information to help it locate relevant information, and ways of making reasonable searches for information, if it considers a request excessive.
The guidance is clear that organisations should not have a blanket policy for categorising DSARs as manifestly excessive, and should have strong justifications for making that decision, that it can provide to the requester and the ICO.
The guidance says that instead of refusing to reply to a manifestly excessive or unfounded request, an organisation can charge a reasonable fee for replying. Those costs can include:
There is no regulatory guidance on the limits to ‘reasonable’ fees, but organisations should ensure they are proportionate and consistent.
Importantly, if an organisation elects to charge a fee, it does not have to reply to the DSAR until it has received the fee.
The guidance includes other useful points for organisations handling DSARs:
Although the guidance is not a golden bullet for the increasing burden for organisations of replying to DSARs, it includes helpful changes and clarifications that should make things simpler and (in some cases) less costly. The key for organisations in taking advantage of the updated guidance will be identifying and applying a consistent approach to DSARs, whilst always looking at the context of each DSAR individually.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
23 October 2020