UK data protection legislation bestows a number of rights upon individuals
(“data subjects”) regarding their personal data. One of the most important
is the right of access, exercised by means of a data subject access request
(or simply “subject access request” or “SAR”). This right gives individuals
the right to obtain a copy of their personal data from you, as well as
certain other important information such as details of the purposes for
which you are using the data and how long you will keep it.
Subject to certain limited exceptions, you must respond to a subject access
request within one month of receipt . In some cases, you may need to
request additional information to confirm the identity of the individual
making the request. Furthermore, if the request is “manifestly unfounded or
excessive” or if additional copies of data are required following a
request, you may be able to charge a fee to cover your administrative costs
(although charging a fee is no longer the norm as it was under the Data
Protection Act 1998).
In either of the cases above, the one-month timeframe does not begin until
you have received the information and/or the fee from the individual making
the request.
In some cases, particularly if you hold and process a large amount of
personal data about someone (or if it isn’t clear that they are making a
subject access request in the first place), it may be necessary to ask them
for clarification before you respond to the request. For the better part of
a year now, asking for clarification has had no impact on the time limit
for response – much to the surprise and distaste many data controllers.
Late in October 2020, however, the Information Commissioner’s Office
published new guidance on subject access requests, building on the
responses it received to a consultation first published in December 2019.
Asking for clarification now “stops the clock” running on the response time
limit. Other key updates in the latest ICO guidance include a clarification
on what “manifestly excessive” means and details on what can be included
when calculating a fee.
Updated SAR Templates
To reflect this new guidance, we have updated our suite of document
templates for handling subject access requests. Our guidance notes have
received a comprehensive update, incorporating information on the new time
limit calculation, the definition of “manifestly excessive”, and factors to
consider when calculating a fee. Other sections of the guidance notes have
also been updated with more detail.
Our SAR Policy and Procedure and a number of our SAR letter templates have
also been updated to reflect the new guidance.
Please note: All of the documents which have been updated are listed as
part of this newsletter (in the right-hand column of this page). All
documents in the SAR subfolder have been reviewed. If a document has been
reviewed but has not been amended, the document description has been
changed to reflect this, but the document itself is not marked as an
update.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific
legal matter.