01 November 2020
Paul Motion and Lucia Spadaro consider new ICO guidance on Subject Access Requests.
The recent revised guidance  by the Information Commissioner’s Office (ICO) on 21 October 2020 relative to subject access requests (SARs) and other subject rights afforded by the GDPR and Data Protection Act 2018  has received mixed reviews. Data subjects claim it has made it easier for data controllers to prevaricate or limit their responses. Data controllers argue that it is still almost impossible to refuse a SAR and the clarification doesn’t actually clarify the grounds for refusal. Oh no it doesn’t, oh yes it does: appropriately enough we are approaching the panto season (subject to coronavirus).
SARs have been an entrenched right since the 1995 Data Protection Directive was transposed into UK law by the DPA 1998. The right to request information about oneself held by a data controller is fine in principle. However, experience has shown data controllers that the time and fiscal costs of SAR compliance can impose a very significant operational burden.
This blog focuses on three areas in the guidance relative to SARs.
Stop the Clock
In May 2018, the GDPR reduced the SAR response period from 42 to 30 days. Guidance that was snuck out in August 2019 stated that the clock started running on date of receipt, rather than the day after, as everyone had understood. In a significant change, the ICO has now confirmed that if the data controller asks for clarification of the SAR, the clock will stop until the necessary clarification has been received. Previously, the clock only stopped if there was an issue in verifying the identity of the SAR requester. The more cynical might argue that data controllers will use this relaxation to stall the SAR. Perish the thought. However, the ICO has made clear that only where a data controller is genuinely unable to respond to the SAR without further information may you request clarification. It must be done in a timely way, be easy for the data subject to provide the clarification and the clarification must be in respect of the information requested, not anything else. For example, you could not buy yourself a few extra days by pausing to establish whether the data subject would prefer to receive their personal data presented in digital format, as opposed to lovingly etched in copperplate by a team of Trappist monks (though the latter appears to be the response method of choice for a certain Westminster department to judge by its turnaround of FOI requests).
The Right of Refusal
This is a highly contentious area in relation to which data controllers are often nervous. The new guidance gives some clarification to data controllers on when they may refuse SARs as manifestly excessive or manifestly unfounded, or both.
In order to refuse a request on the ground that it is manifestly excessive, the data controller must consider whether it is obviously unreasonable. Plainly there is an element of subjectivity involved. Thankfully, the ICO goes on to list helpful criteria to consider, when making this decision. Data controllers should consider the burden of costs involved in processing the request, the context and nature of the request, the resources that are available to them, and whether there are any overlaps or repetitions with other requests made by the data subject. In terms of overlaps and repetitiveness for multiple SARs, the data controller should consider whether they have amended or updated the data since the last request and whether the requested is sensitive or not. Unfortunately, there is no explanation provided as to what bearing the sensitivity of the data has on refusing the request.
It seems clear that a data controller cannot simply refuse a SAR as manifestly excessive simply because the data subject is known to them and possibly considered a nuisance. There is also a burden on the data controller to provide the data subject with reasons for a refusal as well as the usual information about their right to complain to the ICO and their right to take the matter to court.
In relation to refusal as manifestly unfounded, there must be a genuinely-held belief that the data subject is acting maliciously and does not actually want to exercise their right of access simply to verify the data held or the processing activities. The new ICO guidance seems to contemplate more sinister scenarios where requests may be refused if they are malicious, in connection with a grudge, target a specific individual, or are intended to cause disruption. This will present a high bar in practice and expect each case to be decided on its own facts.
Confusingly for data controllers whose staff are on the receiving end, the ICO has advised that abusive and aggressive language, whilst ‘not acceptable’, is also ‘not by itself sufficient grounds for refusal’.
The start position is that no fee may be charged for responding to a SAR, no matter how much time, money and energy it may require. The ICO now advises that where a SAR has been deemed manifestly unfounded or manifestly excessive, but the data controller nonetheless decides to respond rather than refuse, a ‘reasonable fee’ can be charged. A reasonable fee is defined as one that has been arrived at after considering the costs involved in processing the information, the locating, retrieving and extracting of it, the provision of a copy of the information to the data subject and the process of communicating it to them. A long awaited clarification of sorts has also been given on the inclusion of staff time. However, the clarification seems to be given and taken away as easily as it came. It is provided by the ICO that staff time should be charged at a reasonable hourly rate. Sadly, for the data subject, there is no set limit on how much may be charged at this time.
So, are we any further forward? On balance, there is probably more in the guidance to cheer data controllers than data subjects and there is still a lot of subjectivity involved, particularly in relation to ‘unfounded’ requests. However, in this complex area of the law, any guidance is to be welcomed.
Paul Motion is an Accredited Specialist in data protection law. Lucia Spadaro is a trainee solicitor in BTO’s specialist Data Protection Team. For further information contact:
Paul Motion firstname.lastname@example.org / 0131 222 2932
Lynn Richmond email@example.com / 0131 222 2934
 DPA 2018 Section 45; GDPR Article 15