October 2020 was a busy month for data protection. It saw the ICO issue two significant fines against both British Airways and Marriott International Inc for well-known security breaches which took place in 2018.
British Airways was fined £20 million for a data hack which involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes).
Marriott was fined £18.40 million for processing personal data without adequate security measures, leaving 339 million customer accounts exposed, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.
These announcements come shortly after the ICO published new guidance for organisations on the handling of Subject Access Requests (SARs) on 21 October 2020. This followed feedback from a consultation which took place in December 2019.
The guidance runs to some 81 pages, however, in our view there are three key points on which it provides clarification, especially for employers dealing with SARs, when the time, effort and expense for businesses in responding to a SAR can be significant:
1. Time limits when seeking clarification on requests
The guidance has confirmed that if you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. The response period can be paused for up to a month while the data controller awaits that clarification.
This means that you do not need to provide the individual with a copy of the information or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.
The guidance confirms clarification should not be sought on a blanket basis. You should only seek it if:
• it is genuinely required in order to respond to a SAR; and
• you process a large amount of information about the individual.
2. When a request is manifestly excessive
The guidance confirms in assessing if a request if manifestly excessive, a controller will need to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.
3. What can be included when charging a fee for excessive, unfounded or repeated requests
The guidance confirms that the controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.
This additional guidance will be welcomed by employers in particular who are often on the receiving end of extensive and complex SARs from their employees to reduce the complexity and response time associated with such requests. The ICO is also planning to provide further resources and extra support for small business which will include a simplified SAR guide.
For further information, or to discuss the issues raised by this update, please contact Herrington Carmichael’s Employment Department on 0118 977 4045 or employment@herrington-carmichael.com.
This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.
