ICO Right of Access Guidance: How you can handle DSARs effectively and efficiently

Individuals are increasingly relying on their right under article 15 of the General Data Protection Regulation ("GDPR") to make data subject access requests ("DSARs"). Such requests may be a genuine enquiry to understand what personal data about them is being held and processed but more recently such requests are used as an additional disclosure tool in disputes. This marked increase in requests poses significant challenges for organisations who must allocate time and resource to responding to them. In an effort to help organisations handle DSARs more effectively and efficiently, the UK Information Commissioner's Office ("ICO") has published new detailed guidance on the right of access (the "Guidance"). 

Be we summarise some of the key takeaways from the Guidance for organisations who are preparing for, and managing, DSARs. 

Preparation

Regardless of whether you receive DSARs regularly, the ICO recommends preparatory steps are taken to ensure compliance with obligations under both the Data Protection Act 2018 and the GDPR. 

How you prepare for DSARs will be dependent on the type of personal data processed, your size and resources as well as the volume of DSARs typically received. However, common methods of preparation include:

Asset Registers 

Registers help establish where your personal data is stored. This should reduce the time taken to track down personal data following receipt of DSAR and ensure that responses are sent within statutory time limits. 

DSAR Checklists 

You are encouraged to produce checklists setting out the steps to be taken when a DSAR is received. Checklists help you ensure a consistent approach is adopted to producing DSAR responses. This will be particularly useful where you receives large volumes of DSARs and also where different teams (or team members) are involved in responding to your DSARs. 

DSAR Logs 

Logs or trackers help you keep track of the date when DSARs are received and how long you have left before the response deadline. Logs can also be used to record any exemptions relied on for withholding personal data from DSAR responses. This is important if a data subject raises a complaint to the ICO. Logs are a central requirement for you to be able to evidence compliance with your accountability obligations. 

Training

The ICO recommends training staff so they understand your obligations around responding to a DSAR request and so they can identify a request. Such training is key to facilitating compliance with the statutory response timelines. 

Clarifications

The ICO has also clarified in the Guidance several aspects of the law which were identified through a consultation as presenting challenges for organisations managing DSARs. 

Stopping the clock 

Article 12(3) of the GDPR requires you to provide copies of an individual’s personal data without undue delay and, in any event, within one month of receipt of a DSAR. You may extend that period by up to two months where necessary, taking into account the complexity and number of requests. 

According to the Guidance, where you genuinely require clarification from an individual, due to the large volume of personal data processed, in order to respond to a DSAR, you may “stop the clock” until you receive a response to a request for clarification of the scope of the DSAR. 

In practice, this means that the statutory time limits for responding to the DSAR are paused until the clarification from the data subject is received. You should note that you must request clarification without undue delay and be able to explain to the ICO the reason why clarification was sought, if asked to do so.

Manifestly excessive 

You are permitted under article 12(5)(b) of the GDPR to refuse to respond to a DSAR where it is manifestly unfounded or excessive. The Guidance states that a manifestly excessive request is one which is clearly or obviously unreasonable, based on whether the request is proportionate when balanced with the burden or costs involved in handling the request. 

This definition of manifestly excessive is broader than the definition previously relied on by the ICO and for the first time considers a commercial justification for not responding to a request. However, you are still required to consider each DSAR individually and must have strong justifications for why you consider a request to be manifestly excessive (i.e. you are not allowed to refuse a request solely because the request is for a large volume of data). To this end, you should consider whether seeking further clarification from the individual would assist with locating the requested information. 

Fees 

Generally, you cannot charge a fee for responding to a DSAR request. However, article 12(5)(a) of the GDPR permits a reasonable fee to be charged when responding to excessive, unfounded or repeat requests. 

The Guidance clarifies that you may take into account the costs of photocopying, printing, postage and any other costs involved in transferring the personal data to the individual, as well as the costs of equipment and supplies and the time required by staff to provide a response. 

Any fee which is charged must be reasonable, proportionate and consistent and therefore you should consider creating an unbiased set of criteria for charging fees which can be made available on request. These criteria may include the circumstances when a fee is charged, the standard charges (such as rates for photocopying and staff time) and calculation of the fee. 

Conclusion

The ICO is clear that it expects you to handle DSAR requests effectively and efficiently, taking account of your size and resources. The onus is now on you to evaluate carefully your existing processes and procedures for preparing and managing DSARs in light of the practical advice and clarifications contained in the Guidance.

Byte sized news

• Updated ICO statement on European Data Protection Board (EDPB)'s recommendations following the Schrems II case. The ICO has issued an updated statement on the EDPB's long awaited recommendations following the Schrems II judgement which sets out supplemental measures in the context of international transfer safeguards and recommendations on European Essential Guarantees for surveillance measures. The ICO's statement reiterated that it will continue to apply a risk-based and proportionate approach to regulation on international transfers.
• ICO's guidance on data protection and contract tracing: The ICO published its guidance on contract tracing setting out five key considerations for business when setting up contact tracing: (i) organisations should only ask for information that has been set out in the government guidance such as name, contact details and time of arrival; (ii) organisations should inform individuals about how their personal data is being processed either through a display notice or by other means; (iii) organisations must ensure security measures are in place to protect personal data collected; (iv) organisations must not use data collected for contract tracing for any other purpose; (v) organisations are to only keep personal data for the periods specified in government guidelines and must dispose of personal data safely.
• EDPB release of draft standard contractual clauses ("SCCs"): The EDPB has released for consultation drafts of the long awaited updated controller and processor and controller to controller standard contractual clauses relating to the transfer of personal data to a third country and a new controller to processor standard contractual clauses to comply with the article 28(3) and 28(4) of the GDPR. The new drafts are open for consultation until 10 December 2020 and final draft are expected to be released in early 2021. Of note in the current draft is that the Commission proposes to provide organisations with a 12 month grace period to replace and update existing standard contractual clauses.
• Vodafone fined over €12 million by the Italian DPA: The Italian data protection supervisory authority has ordered Vodafone to pay a fine of over €12 million as a result of Vodafone unlawfully processing the personal data of millions of individuals for marketing purposes. Vodafone has also been ordered to implement several measures set out by the supervisory authority in their decision. The supervisory authority had received hundreds of complaints from individuals about unsolicited telephone calls from Vodafone, which led to its investigation. The investigation identified some major contraventions by Vodafone of its obligations under the GDPR such as meeting the consent requirements and breaches of its accountability obligations. Specific contraventions noted in the enforcement notice of the GDPR included (i) the use by Vodafone of fake numbers to make promotional calls, and (ii) the handling and use of contact lists purchased from external providers without the consent of individuals contained in those contact lists.

With thanks to Harry Newton, and Aruse Okaisabor for their contributions.