Responding to Subject Access Requests
UK data protection legislation bestows a number of rights upon individuals (“data subjects”) regarding their personal data. One of the most important is the right of access, exercised by means of a data subject access request (or simply “subject access request” or “SAR”). This right gives individuals the right to obtain a copy of their personal data from you, as well as certain other important information such as details of the purposes for which you are using the data and how long you will keep it.
Subject to certain limited exceptions, you must respond to a subject access request within one month of receipt . In some cases, you may need to request additional information to confirm the identity of the individual making the request. Furthermore, if the request is “manifestly unfounded or excessive” or if additional copies of data are required following a request, you may be able to charge a fee to cover your administrative costs (although charging a fee is no longer the norm as it was under the Data Protection Act 1998).
In either of the cases above, the one-month timeframe does not begin until you have received the information and/or the fee from the individual making the request.
In some cases, particularly if you hold and process a large amount of personal data about someone (or if it isn’t clear that they are making a subject access request in the first place), it may be necessary to ask them for clarification before you respond to the request. For the better part of a year now, asking for clarification has had no impact on the time limit for response – much to the surprise and distaste many data controllers.
Late in October 2020, however, the Information Commissioner’s Office published new guidance on subject access requests, building on the responses it received to a consultation first published in December 2019. Asking for clarification now “stops the clock” running on the response time limit. Other key updates in the latest ICO guidance include a clarification on what “manifestly excessive” means and details on what can be included when calculating a fee.
Updated SAR Templates
To reflect this new guidance, we have updated our suite of document templates for handling subject access requests. Our guidance notes have received a comprehensive update, incorporating information on the new time limit calculation, the definition of “manifestly excessive”, and factors to consider when calculating a fee. Other sections of the guidance notes have also been updated with more detail.
Our SAR Policy and Procedure and a number of our SAR letter templates have also been updated to reflect the new guidance.
Please note: All of the documents which have been updated are listed as part of this newsletter (in the right-hand column of this page). All documents in the SAR subfolder have been reviewed. If a document has been reviewed but has not been amended, the document description has been changed to reflect this, but the document itself is not marked as an update.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.