ICO issues detailed guidance on responding to subject access requests

Nov 19, 2020

October 2020 was a busy month for data protection. It saw the ICO issue two significant fines against both British Airways and Marriott International Inc for well-known security breaches which took place in 2018.

British Airways was fined £20 million for a data hack which involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes).

Marriott was fined £18.40 million for processing personal data without adequate security measures, leaving 339 million customer accounts exposed, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.

These announcements come shortly after the ICO published new guidance for organisations on the handling of Subject Access Requests (SARs) on 21 October 2020. This followed feedback from a consultation which took place in December 2019.

The guidance runs to some 81 pages, however, in our view there are three key points on which it provides clarification, especially for employers dealing with SARs, when the time, effort and expense for businesses in responding to a SAR can be significant:

1. Time limits when seeking clarification on requests

The guidance has confirmed that if you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. The response period can be paused for up to a month while the data controller awaits that clarification.

This means that you do not need to provide the individual with a copy of the information or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.

The guidance confirms clarification should not be sought on a blanket basis. You should only seek it if:
• it is genuinely required in order to respond to a SAR; and
• you process a large amount of information about the individual.

2. When a request is manifestly excessive

The guidance confirms in assessing if a request if manifestly excessive, a controller will need to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.

3. What can be included when charging a fee for excessive, unfounded or repeated requests

The guidance confirms that the controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.

This additional guidance will be welcomed by employers in particular who are often on the receiving end of extensive and complex SARs from their employees to reduce the complexity and response time associated with such requests. The ICO is also planning to provide further resources and extra support for small business which will include a simplified SAR guide.

For further information, or to discuss the issues raised by this update, please contact Herrington Carmichael’s Employment Department on 0118 977 4045 or employment@herrington-carmichael.com.

This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter. 

Hannah King

By Hannah King

Senior Solicitor, Employment Law


Contact Us

    The information you submit will be handled in accordance with our privacy policy.

    FREE: Legal Insights and Event News 

    Keep you, your family and / or business up to date on how the law affects you, by subscribing to one of our legal insights.

    Subscribe for free Legal Insights
    & Event updates

    Receive the latest legal developments and professional advice to keep your family and business safe.
    Please choose which list you would like to subscribe to below.

    Please see our privacy policy regarding use of your data.

    Latest Articles

    Top Legal Insights


    Contract Law

    Material Breach of Contract

    What is a ‘material’ breach of contract by a party to a commercial contract? This is a critical issue regularly considered by the courts. What constitutes a material breach and what are the remedies?

    Property Law

    Commercial Lease: The Financial impact on Landlord and Tenant

    Coronavirus (COVID-19) and the restrictions now in place to control its spread, are having a significant effect on many business sectors.

    Divorce and Family Law

    Divorce in Lockdown: Can I get some discreet legal advice?

    We have spoken to clients who are unfortunately experiencing some family issues, and would like to obtain expert legal advice, yet don’t know how...

    Land & Property Dispute

    Restrictive Covenants – The Price of Modification

    Having identified that your land is burdened by a restrictive covenant and for the purposes of this article the covenant in question will be that only one residential building can be erected on the land. What do you do next?

    Wills, Trusts and Probate

    Why is having a will so important?

    It is entirely up to you if and when you want to create a Will, but it is important to be aware of the consequences of not having a Will.

    Award winning legal advice

    We are solicitors in Camberley, Wokingham and London. In 2019, Herrington Carmichael won ‘Property Law Firm of the Year’ at the Thames Valley Business Magazines Property Awards, ‘Best Medium Sized Business’ at the Surrey Heath Business Awards and we were named IR Global’s ‘Member of the Year’. We are ranked as a Leading Firm 2020 by Legal 500 and Alistair McArthur is ranked in Chambers 2020.



    60 St Martins Lane, Covent Garden, London WC2N 4JS 

    +44 (0) 203 755 0557



    Building 2  Watchmoor Park, Riverside Way, Camberley, Surrey  GU15 3YL

    +44 (0)1276 686 222


    Wokingham (Appointment only)

    4 The Courtyard, Denmark Street, Wokingham, Berkshire RG40 2AZ

    +44 (0)118 977 4045


    © 2020 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

    Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority.

    Privacy   |   Legal Notices, T&Cs, Complaints Resolution   |   Cookies   |   Client Feedback