fbpx

ICO issues detailed guidance on responding to subject access requests

Nov 19, 2020

October 2020 was a busy month for data protection. It saw the ICO issue two significant fines against both British Airways and Marriott International Inc for well-known security breaches which took place in 2018.

British Airways was fined £20 million for a data hack which involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes).

Marriott was fined £18.40 million for processing personal data without adequate security measures, leaving 339 million customer accounts exposed, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.

These announcements come shortly after the ICO published new guidance for organisations on the handling of Subject Access Requests (SARs) on 21 October 2020. This followed feedback from a consultation which took place in December 2019.

The guidance runs to some 81 pages, however, in our view there are three key points on which it provides clarification, especially for employers dealing with SARs, when the time, effort and expense for businesses in responding to a SAR can be significant:

1. Time limits when seeking clarification on requests

The guidance has confirmed that if you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’. The response period can be paused for up to a month while the data controller awaits that clarification.

This means that you do not need to provide the individual with a copy of the information or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.

The guidance confirms clarification should not be sought on a blanket basis. You should only seek it if:
• it is genuinely required in order to respond to a SAR; and
• you process a large amount of information about the individual.

2. When a request is manifestly excessive

The guidance confirms in assessing if a request if manifestly excessive, a controller will need to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.

3. What can be included when charging a fee for excessive, unfounded or repeated requests

The guidance confirms that the controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.

This additional guidance will be welcomed by employers in particular who are often on the receiving end of extensive and complex SARs from their employees to reduce the complexity and response time associated with such requests. The ICO is also planning to provide further resources and extra support for small business which will include a simplified SAR guide.

For further information, or to discuss the issues raised by this update, please contact Herrington Carmichael’s Employment Department on 0118 977 4045 or employment@herrington-carmichael.com.

This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter. 

Hannah King

By Hannah King

Senior Solicitor, Employment Law

Podcasts

Contact Us

    The information you submit will be handled in accordance with our privacy policy.

    FREE: Legal Insights and Event News 

    Keep you, your family and / or business up to date on how the law affects you, by subscribing to one of our legal insights. We will also update you on our upcoming events and seminars, which are tailored to your preferences.

    Here are the monthly legal insights you can subscribe to:

    - Corporate and Commercial
    - Property & Construction
    - Employment & Immigration
    - Private Client and Family

    We will only ever send you information that relates to your preferences and you can opt out at any time.

    Latest Articles

    Top Legal Insights

     

    Contract Law

    Material Breach of Contract

    What is a ‘material’ breach of contract by a party to a commercial contract? This is a critical issue regularly considered by the courts. What constitutes a material breach and what are the remedies?

    Property Law

    Commercial Lease: The Financial impact on Landlord and Tenant

    Coronavirus (COVID-19) and the restrictions now in place to control its spread, are having a significant effect on many business sectors.

    Divorce and Family Law

    Divorce in Lockdown: Can I get some discreet legal advice?

    We have spoken to clients who are unfortunately experiencing some family issues, and would like to obtain expert legal advice, yet don’t know how...

    Land & Property Dispute

    Restrictive Covenants – The Price of Modification

    Having identified that your land is burdened by a restrictive covenant and for the purposes of this article the covenant in question will be that only one residential building can be erected on the land. What do you do next?

    Wills, Trusts and Probate

    Why is having a will so important?

    It is entirely up to you if and when you want to create a Will, but it is important to be aware of the consequences of not having a Will.

    Award winning legal advice

    We are solicitors in Camberley, Wokingham and London. In 2019, Herrington Carmichael won ‘Property Law Firm of the Year’ at the Thames Valley Business Magazines Property Awards, ‘Best Medium Sized Business’ at the Surrey Heath Business Awards and we were named IR Global’s ‘Member of the Year’. We are ranked as a Leading Firm 2020 by Legal 500 and Alistair McArthur is ranked in Chambers 2020.

    undefined
    undefined

    London

    60 St Martins Lane, Covent Garden, London, WC2N 4JS 

    +44 (0) 203 755 0557

     

    Camberley

    Building 2  Watchmoor Park, Riverside Way, Camberley, Surrey. GU15 3YL

    +44 (0)1276 686 222

     

    Wokingham

    Opening Soon

    +44 (0)118 977 4045

    info@herrington-carmichael.com

    © 2020 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

    Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority.

    Privacy   |   Terms and Conditions   |   Cookies   |   Client Feedback