Detailed guidance on subject access requests published

Out-Law News | 20 Dec 2019 | 3:40 pm | 3 min. read

Organisations cannot ignore or dismiss data subject access requests (SARs) received in bulk, despite the administrative burdens they will face in handling such requests, according to the UK's data protection authority.

In new detailed draft guidance on SARs it has published, the Information Commissioner's Office (ICO) recognised the potential for large organisations to "receive a number of SARs in a short period of time", including from claims management companies acting on behalf of multiple individuals, and advised organisation on how to deal with those bulk requests.

"You must consider each SAR within a bulk request individually and respond appropriately," the ICO said.

The ICO said that while it "acknowledges the potential resource implications of this duty", there are principles organisations should bear in mind when dealing with high volumes of SARs.

It said: "A SAR that is made as part of a bulk request has the same legal status as a SAR that is made individually; the purpose for which a SAR is made does not affect its validity, or your duty to respond to it (unless it is a manifestly unfounded or excessive request); if a request is made by a third party on behalf of an individual, the behaviour of the third party should not be taken into account in determining whether a request is manifestly unfounded or excessive; you must satisfy yourself that the third party is authorised to make the request; you must satisfy yourself as to the identity of the individual concerned; and you must respond to the request even if you hold no information about the individual (your response may obviously be very brief in such cases)."

Under the UK's Data Protection Act, people have a right to access a copy of the personal data organisations hold on them. This includes employees requesting data held by employers. Those subject access requests have to be complied with without undue delay and, generally, no later than one month after the requests are either received. There are some limited circumstances in which organisations can charge a fee for SARs, and where the timeframes for response can be altered and extended.

Supplemental information also has to be disclosed by organisations alongside the personal data they provide in response to the requests. That includes information about the categories of personal data they hold about the requester, what the purposes of, and legal basis for, their processing is, who they have shared the data with and where they have sourced the personal data they hold from.

Fines of up to £17 million, or 4% of a business' annual global turnover in the preceding financial year, whichever is higher, can be imposed by the ICO for non-compliance with data subject access requests.

The ICO said in its guidance that SARs will be valid whether submitted verbally or in writing, including potentially via social media, though it said organisations can use SAR forms to help them better identify when SARs are submitted. It said organisations "should make extensive efforts to find and retrieve the requested information", but confirmed that organisations can ask people submitting SARs to verify their identity in some cases prior to disclosing the information.

"You should not assume that on every occasion the requester is who they say they are," the ICO said. "In some cases, it is reasonable to ask the requester to verify their identity before sending them information. How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity. The level of checks you make may depend on the possible harm and distress that inappropriate disclosure of the information could cause to the individual concerned."

The ICO urged organisations to ensure staff are trained on how to identify and handle SARs and also recommended documenting SARs that are received.

"It is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person," the ICO said. "You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted it. You should also note that individuals do not have to tell you their reason for making the request or what they intend to do with the information, although it may help you to find the relevant information if they do explain the purpose of the request."

The ICO's draft guidance is open to consultation until 12 February 2020.