DSARs - ICO publishes new detailed guidance
We have a look at some of the key changes, and the implications for how companies handle their DSAR obligations.
On 21 October 2020, the ICO published its updated guidance on responding to data subject access requests ("DSARs") under Article 15 of the GDPR. The publication follows consultation in December 2019, to which over 350 organisations (of various sizes and from various sectors) responded.
In a blog post accompanying the new guidance, the ICO emphasises that the right of access is a "cornerstone" of data protection law, and the importance of organisations knowing how to deal with DSARs effectively and efficiently.
The new guidance provides welcome changes to the draft version published at the end of last year, as well as additional content and clarity on some of the challenges in responding to a DSAR. We have looked at some of the key changes, and the implications for how companies handle their DSAR obligations, below.
1. Stopping the clock for clarification
A welcome change in the final version of the guidance is the timescale for responding where an organisation needs clarification from the data subject about the scope of their request.
The new guidance explains that, where an organisation processes a large amount of information about an individual, they may ask the individual to specify the information or processing activities their request relates to before responding. Organisations can then "stop the clock" whilst they wait for the individual to clarify their request (and are not required to provide the individual with a copy of their personal data until the individual has responded).
The guidance is clear, however, that it does not expect organisations to adopt this as a blanket policy: it will only be necessary where an organisation processes a large volume of information about the individual (which will depend on an organisation's size and resources available) and further clarification is genuinely required to respond to their DSAR. There is no requirement for organisations to seek clarification, and they may choose to perform a reasonable search to locate the data instead.
This change to the guidance is helpful and reflects the reality that organisations process large volumes of personal data about individuals. This should not, however, be used as a means of "running down the clock": organisations are expected to make the process of seeking clarification from the individual quick and easy, and provide advice and assistance to help data subjects clarify their request (including giving them a timescale to respond). There is no requirement for an individual to narrow the scope of their request: if they refuse to clarify or provide any additional information organisations are still expected to comply by running reasonable searches for this information.
2. The definition of "manifestly excessive"
The ICO has broadened the definition of "manifestly excessive", clarifying that organisations need to consider whether the request is "clearly or obviously unreasonable" when balanced against the burden or costs in dealing with it. The new guidance sets out the factors that should be considered, including:
- the nature of the requested information;
- the context of the request, and the relationship between the organisation and the individual; and
- an organisation's available resources.
Organisations should exercise some caution if relying on this to refuse a request. The guidance is clear that a request is not necessarily excessive because the individual requests large volumes of information: all the circumstances should be considered (including asking the individual for more information or making reasonable searches for this personal data).
If organisations do decide a request is manifestly unfounded or excessive, they must ensure they have strong justifications for this which they can clearly demonstrate to the individual and the ICO.
3. Efforts made to find the information
A key change in the final guidance is that organisations are expected to make "reasonable" efforts to find and retrieve the requested information (the draft guidance stated the expectation was to make "extensive" efforts).
Organisations are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. In order to determine unreasonableness or disproportionality, organisations need to consider the following:
- the circumstances of the request;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
The burden of proof falls on the organisations to justify why a search may be unreasonable or disproportionate. Certain searches may fall under the unreasonable or disproportionate heading, whereas other searches within the scope of the request may not - to the extent that this is the case, these other searches should still be carried out.
The ICO has also expanded on the definition of what may be classed as a complex request, including the need to obtain specialist legal advice.
4. Information about third parties
A consistent challenge facing organisations, and particularly employers, when responding to a DSAR is how to approach information that contains mixed data. This involves a careful balancing act, looking at the data subject's right of access against the rights of third parties.
The guidance includes the same three-step approach to dealing with requests that include the personal data of others. In looking at whether the other individual has provided consent, the guidance now states that it may not be appropriate to ask a third party to provide consent where it would be inappropriate for the third party to know that the requester has made a DSAR. This will be helpful in contentious situations or where organisations want to maintain discretion about the existence or nature of a DSAR.
The guidance also states that organisations should now take the "content and context" of third-party data into account when deciding whether to provide third party. This is likely to be helpful for employers, when dealing with DSARs in the context of disciplinary and grievance processes.
Overview
It is a welcome development for organisations that the ICO has again recognised the importance of proportionality in responding to a DSAR, which was notably absent from the draft guidance. This would have had a significant impact on all aspects of the DSAR process, leading to a lack of clarity and consistency about the extent of organisations' obligations in responding to requests. It is now clear the ICO expects organisations to balance the work required to supply the information sought on one hand, against the benefit of providing the data to the data subject on the other.
The ICO acknowledges in publishing the final guidance the calls during the consultation for aspects of the law that were not so "clear-cut". Whilst the new guidance provides some helpful clarity, the short time frame and large volumes of data organisations possess about individuals mean that responding to a DSAR remains an administrative challenge for companies.
Simmons & Simmons have developed a toolkit to help firms respond to these challenges, which uses technical solutions and innovative workflows to customise how each DSAR is managed, reviewed and redacted. For more details about the DSAR toolkit, please reach out to any of the listed contacts or your usual Simmons & Simmons contact.
