ICO issues detailed guidance on responding to subject access requests
October 2020 was a busy month for data protection. It saw the ICO issue two significant fines against both British Airways and Marriott International Inc for well-known security breaches which took place in 2018.
British Airways was fined £20 million for a data hack which involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes).
Marriott was fined £18.40 million for processing personal data without adequate security measures, leaving 339 million customer accounts exposed, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.
These announcements come shortly after the ICO published new guidance for organisations on the handling of Subject Access Requests (SARs) on 21 October 2020. This followed feedback from a consultation which took place in December 2019.
The guidance runs to some 81 pages, however, in our view there are three key points on which it provides clarification, especially for employers dealing with SARs, when the time, effort and expense for businesses in responding to a SAR can be significant:
1. Time limits when seeking clarification on requests
The guidance has confirmed that if you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. The response period can be paused for up to a month while the data controller awaits that clarification.
This means that you do not need to provide the individual with a copy of the information or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.
The guidance confirms clarification should not be sought on a blanket basis. You should only seek it if:
• it is genuinely required in order to respond to a SAR; and
• you process a large amount of information about the individual.
2. When a request is manifestly excessive
The guidance confirms in assessing if a request if manifestly excessive, a controller will need to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.
3. What can be included when charging a fee for excessive, unfounded or repeated requests
The guidance confirms that the controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.
This additional guidance will be welcomed by employers in particular who are often on the receiving end of extensive and complex SARs from their employees to reduce the complexity and response time associated with such requests. The ICO is also planning to provide further resources and extra support for small business which will include a simplified SAR guide.
This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.
FREE: Legal Insights and Event News
Keep you, your family and / or business up to date on how the law affects you, by subscribing to one of our legal insights. We will also update you on our upcoming events and seminars, which are tailored to your preferences.
Here are the monthly legal insights you can subscribe to:
- Corporate and Commercial
- Property & Construction
- Employment & Immigration
- Private Client and Family
We will only ever send you information that relates to your preferences and you can opt out at any time.
With a third national lockdown in force across the country, the government has announced the introduction of one-off top up grants.
This is a keynote summary of some of the main developments in employment law in the last month.
The Withdrawal Agreement ensures people will continue to be able to benefit from their current workers’ rights based on EU law.
Top Legal Insights
Award winning legal advice
We are solicitors in Camberley, Wokingham and London. In 2019, Herrington Carmichael won ‘Property Law Firm of the Year’ at the Thames Valley Business Magazines Property Awards, ‘Best Medium Sized Business’ at the Surrey Heath Business Awards and we were named IR Global’s ‘Member of the Year’. We are ranked as a Leading Firm 2020 by Legal 500 and Alistair McArthur is ranked in Chambers 2020.