New ICO guidance on DSARs – hurry, time is of the essence

The UK Information Commissioner’s Office (ICO) has recently made some noteworthy changes to its guidance around data subject access requests (DSARs); specifically, around the time limit for responding and what may count as a ‘manifestly unfounded’ DSAR.

In light of the hallowed status of DSARs as a bulwark against the erosion of data subject freedoms, their increasing and creative use by employees, service-users and customers and the resource toll that DSARs are taking on organisations big and small, we at Anthony Collins Solicitors considered it important to highlight these otherwise, not entirely headline-grabbing tweaks.

Time limits

Previously, ICO guidance stated that a DSAR should be responded to ‘without undue delay’ and within ‘one calendar month’, with the clock ticking from the day after the request was received until the corresponding date in the next calendar month. If the corresponding date were to fall on a weekend or bank holiday, the request would be due on the first working day thereafter. In some cases, this generous interpretation allowed organisations up to three extra days to field requests. The ICO now makes it clear that the one calendar month begins on the date that the request is received, regardless of whether it is a working day or not. For example, if a DSAR is received on 23 September, then a response must be sent to the data subject by 23 October.

The remaining guidelines stay the same. If the corresponding date in the next month does not exist because it is shorter, the request must be responded to on the last day of the month. If the day that the response is due falls on a weekend or public holiday, an organisation may choose to respond the first working day after.

Theoretically, the ICO’s new guidance is more in line with the wording of Article 12(3) of the General Data Protection Regulation 2016/679 (GDPR), which requires organisations to respond without undue delay and, in any event, within one month of receipt of the request. Practically, it is worth remembering that this has ramifications for more than just DSARs, as the same rules apply to all other data subject rights, i.e. rights to erasure and portability.

Manifestly unfounded

Much more awaited is the ICO’s guidance on what factors may legitimately indicate that a request is ‘manifestly unfounded’, allowing an organisation to refuse to comply. These factors include:

The individual clearly not having any intention to exercise their right of access, such as making a request but then offering to withdraw it in return for some sort of benefit from the organisation. This would appear to cover those organisations that have successfully concluded without prejudice settlement negotiations with aggrieved ex-employees, as a part of which the ex-employee and/or their trade union advisor has provided written reassurances that all DSARs will be rescinded, only to have them resurrected post-signing of the settlement agreement, or if an individual offers to withdraw a DSAR in exchange for compensation; or
The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption, such as where:
- The individual has explicitly stated, in their request itself or communications, that they intend to cause disruption. Consider a scenario where an employee hints at having access directly or via third parties, to some or all of the documents that they have requested, only to make the point that if the organisation does not make full disclosures in response to other DSARs, the employee will know about it.
- The request makes unsubstantiated accusations against specific employees; e.g. of conspiracy and fraudulent manhandling of the DSAR, despite all reasonable searches being carried out.
- The individual is targeting an employee against whom they have some personal grudge; e.g. a parent who brings a DSAR or numerous DSARs about their dealings with a particular member of teaching staff against whom they have used and already exhausted all official and unofficial channels of complaint; or
- The individual systematically sends different requests to an organisation as part of a campaign, e.g. once a week. Examples include having thoroughly searched, reviewed and responded to a request and then receiving a regular ream of emails requesting further documentation, unreasonable demands for clarification on the search criteria or haranguing the organisation on any perceived unfairness in the searching or filtering process when all reasonable steps have been taken.

Although the above seems to confirm our own interpretation of the phrase, it must be made clear that this list of factors and associated examples is not exclusive. Every request that is considered to be manifestly unfounded must be judged on its own merits and within its own specific context. The question very often, is simply, “Would I, as a data subject in this scenario, reasonably expect to have access to this information?” If a request is not obviously ‘manifestly unfounded’ or excessive, e.g. repetitive in nature, even if it involves weeks of review and redaction or aids a data subject in their ongoing litigation against the organisation, the chances are that it isn’t and that it will need to be actioned.

When refusing to comply with a DSAR, it is imperative that organisations document the process that was followed (including searches conducted within databases, search terms used and how much data was retrieved), tell the data subject the reasons for non-compliance, including evidence or examples where possible, and ensure that the data subject is aware of their rights to make a complaint to the ICO or to a judicial remedy. The ICO will not generally look favourably upon organisations who extend the response deadline by up to a further two months because a request is complex, only to then claim an exemption or state that the DSAR is ‘manifestly unfounded’ or ‘excessive’.

It goes without saying that proving that a request is manifestly unfounded or excessive is just one means by which organisations can manage their burgeoning lode of DSARs. They can, and should, seek to clarify requests if the DSAR is vague, particularly complex or promises to be extensive by seeking to agree narrower or more specific search parameters, e.g. specific events, dates or individuals.

It is also worth remembering that other than in the simplest of cases, some personal data will doubtlessly be exempt because it belongs to a third party, e.g. an individual is entitled to their own disciplinary and grievance notes but not to those of other staff unless the other person has consented, or it is reasonable to disclose these in the circumstances.

Finally, other exemptions such as prejudice to ongoing negotiations and legal privilege, should not be discounted. Case law in the area makes it clear that whenever exemptions are applied, a reasonable search must be conducted so that documents are not exempted wholesale without proof of their exempt status.

All in all, the fabric of DSARs remains as we know it, but it is heartening to see the ICO confirm that a genuine common-sense approach to DSARs is very much in line with its own thinking. Meanwhile, we may look to the ICO’s own responses to the requests it receives, for reassurance and as a sneak preview to yet further guidance.

Further information

For more information, please contact Eeshma Qazi.

Latest news, webinars and podcasts

Coronavirus – school trips during the 2020/21 academic year Thursday 4 June 2020

Current Government guidance is clear that both domestic and international school trips will need to be cancelled or re-arranged for the immediate future.

Staying alert to Government changes to furlough and Statutory Sick Pay Tuesday 2 June 2020

The Government has announced changes to the newly extended Coronavirus Job Retention Scheme (CVJRS) and extended the payment of SSP in certain circumstances.

PODCAST: Returning to work post lockdown Tuesday 2 June 2020

Katherine Sinclair and Libby Hubbard talk through the issues facing employers as they start to bring employees back to work.

Discriminatory ‘Right to Rent’ scheme is justified, rules Court of Appeal Monday 1 June 2020

The Court of Appeal has delivered its verdict on a High Court decision that the Right to Rent scheme was discriminatory and in breach of the ECHR.

Charities weekly round-up 9 Monday 1 June 2020

With many of our updates over recent weeks highlighting the challenges that have emerged from lockdown, we are now seeing a trend of charities grappling with the challenge of emerging from lockdown.

Company Secretary Update – May 2020 Thursday 28 May 2020

In this update, we have focussed on the headline governance and regulatory issues that are facing RPs at this time. as we all deal with the Covid-19 crisis.

Max and Keira’s Law – the new “opt-out” organ donation system Thursday 28 May 2020

The law surrounding organ donation has changed. The Organ Donation (Deemed Consent) Bill came into effect on 20 May 2020 and has implemented an opt-out system for organ donation.

Rental revenue legal options during Covid-19 Tuesday 26 May 2020

Commercial and local authority landlords could benefit from urgently reviewing their legal options.

‘Pleasure doing business’ – responsible contractual behaviour during the Covid-19 emergency and the value of sustainable economy Tuesday 26 May 2020

The Cabinet Office has published guidance asking for people to act responsibly, fairly and “in the national interest”.

Charities weekly round-up 8 Tuesday 26 May 2020

To help our charity clients look to the future, we summarise key guidance and updates over the last week.