ICO issues detailed guidance on responding to subject access requests

Nov 19, 2020

October 2020 was a busy month for data protection. It saw the ICO issue two significant fines against both British Airways and Marriott International Inc for well-known security breaches which took place in 2018.

British Airways was fined £20 million for a data hack which involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes).

Marriott was fined £18.40 million for processing personal data without adequate security measures, leaving 339 million customer accounts exposed, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.

These announcements come shortly after the ICO published new guidance for organisations on the handling of Subject Access Requests (SARs) on 21 October 2020. This followed feedback from a consultation which took place in December 2019.

The guidance runs to some 81 pages, however, in our view there are three key points on which it provides clarification, especially for employers dealing with SARs, when the time, effort and expense for businesses in responding to a SAR can be significant:

1. Time limits when seeking clarification on requests

The guidance has confirmed that if you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. The response period can be paused for up to a month while the data controller awaits that clarification.

This means that you do not need to provide the individual with a copy of the information or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.

The guidance confirms clarification should not be sought on a blanket basis. You should only seek it if:
• it is genuinely required in order to respond to a SAR; and
• you process a large amount of information about the individual.

2. When a request is manifestly excessive

The guidance confirms in assessing if a request if manifestly excessive, a controller will need to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.

3. What can be included when charging a fee for excessive, unfounded or repeated requests

The guidance confirms that the controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.

This additional guidance will be welcomed by employers in particular who are often on the receiving end of extensive and complex SARs from their employees to reduce the complexity and response time associated with such requests. The ICO is also planning to provide further resources and extra support for small business which will include a simplified SAR guide.

For further information, or to discuss the issues raised by this update, please contact Herrington Carmichael’s Employment Department on 0118 977 4045 or employment@herrington-carmichael.com.

This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter. 

Hannah King

By Hannah King

Senior Solicitor, Employment Law

Podcasts

Latest Insights - sign up to our Emailers

Our Emailers will bring you the latest news and insights from our legal teams as we look at the key talking points in life and in law.

Our insights will include articles, podcast discussion and information about our events and services.

You can sign up to as many as you wish and you can opt out at any time.

Sign up to our Emailers






Please see our privacy policy regarding use of your data.


Latest Articles

Top Legal Insights

 

Contract Law

Material Breach of Contract

What is a ‘material’ breach of contract by a party to a commercial contract? This is a critical issue regularly considered by the courts. What constitutes a material breach and what are the remedies?

Property Law

Commercial Lease: The Financial impact on Landlord and Tenant

Coronavirus (COVID-19) and the restrictions now in place to control its spread, are having a significant effect on many business sectors.

Divorce and Family Law

Divorce in Lockdown: Can I get some discreet legal advice?

We have spoken to clients who are unfortunately experiencing some family issues, and would like to obtain expert legal advice, yet don’t know how...

Land & Property Dispute

Restrictive Covenants – The Price of Modification

Having identified that your land is burdened by a restrictive covenant and for the purposes of this article the covenant in question will be that only one residential building can be erected on the land. What do you do next?

Wills, Trusts and Probate

Why is having a will so important?

It is entirely up to you if and when you want to create a Will, but it is important to be aware of the consequences of not having a Will.

Award winning legal advice

Herrington Carmichael offers legal advice to UK and International businesses as well as individuals and families. Rated as a ‘Leading Firm 2024’ by the legal directory Legal 500 and listed in The Times ‘Best Law Firms 2023 & 2024’. Herrington Carmichael has offices in London, Farnborough, Reading, and Ascot.

London

60 St Martins Lane, Covent Garden, London WC2N 4JS 

+44 (0) 203 755 0557

 

Camberley

Building 2  Watchmoor Park, Riverside Way, Camberley, Surrey  GU15 3YL

+44 (0)1276 686 222

 

Wokingham (Appointment only)

4 The Courtyard, Denmark Street, Wokingham, Berkshire RG40 2AZ

+44 (0)118 977 4045

info@herrington-carmichael.com

© 2020 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority.

Privacy   |   Legal Notices, T&Cs, Complaints Resolution   |   Cookies   |   Client Feedback