The right of access has been a fundamental data subject right in the UK since 1984 when data protection legislation was first introduced. The GDPR made it illegal for companies to charge a fee for responding and introduced rules about how the request should and should not be handled, such as what media should be used to present the information and how quickly it should be provided.
In October, the ICO issued updated guidance with a lot of practical tips for handling SARs. We take a look here at some of the tips.
1. Each subject access request in a bulk request should be considered individually. The ICO will take the fact of the bulk request into account when considering any complaints in relation to the response to individual requests.
2. There is no need to conduct searches that are unreasonable or disproportionate to the importance of providing access to the information. But take care, the burden of proof for what is unreasonable or disproportionate in the circumstances falls to the data controller. The circumstances must be exceptional and of course documented.
3. Requests should be acknowledged as soon as possible after receipt.
4. Use the acknowledgement to ask the individual’s preferred format for the response.
5. Deleted data does not have to be reconstituted.
6. Email – what to include in a response:
- email in a “deleted” folder has not been deleted and must be included;
- if there is no additional personal data in an email except the name of the individual, the individual email does not have to be disclosed but the individual should be advised of the number of emails that included their name;
- it is acceptable to provide transcripts of information from email which is a good compromise if there is personal data in the email that relates to third parties.
7. Fees for manifestly excessive requests can include the cost of photocopying, printing, postage, equipment and supplies, and staff time on a reasonable basis. Guidance from the ICO recommends defining a set of criteria for fees including the circumstances when they will be applied, standard charges and how other fees are calculated.
8. It is acceptable to “stop the clock” on the time allowed to respond to a subject access request while waiting for proof of identity. The individual making the request should be advised that the time spent waiting for proof of identity does not count towards the 28 day period allowed for making the response. Proof of identity does not have to be retained but a detailed note kept of the fact that it was seen.
9. In exceptional circumstances seeking further clarification of a request will also “stop the clock” on the time allowed to respond.
10. There is no requirement to translate into another language information provided in response to a subject access request.
11. The individual is entitled to a copy of the information so if access to the data is provided or a verbal response is made, a copy should still be provided (so online portals should include a facility to download the report). The individual should not have to take any action to receive the information such as collecting it from the office or registering for an online account.
12. It is important to provide technical security for the information provided in response to a subject access request. Hard copies may be sent by courier. Electronic copies should be encrypted or password protected with the password sent by a different communication channel.
You can see the detailed guidance on the ICO website here