Despite the consultation period for their draft Right of Access Guidance remaining open until the 12th February, the Information Commissioner’s Office (the “ICO”) has amended its published guidance on the timescales for Data Subject Access Request (“DSAR”) compliance.
It is no longer an option for Data Controllers to stop-the-clock for compliance when requesting further clarification from the Data Subject. This is likely to result in some major practical issues for employers, especially when the data subject in question has produced a very wide-ranging request or a general request for “all data”.
DSAR’s can be a huge burden on company resources as sourcing and reviewing the data can be very time-consuming. It is therefore common for Data Controllers to seek clarification by responding to DSARs with a prescribed form or checklist for the data subject to complete prior to beginning its search; it was understood that the time limit for the request started when this form was returned. This new guidance indicates that, whilst ‘further information’ forms will continue to be necessary in certain circumstances, the time limit for compliance will run from the date the initial request is submitted and not any subsequent DSAR form. Where relationships between Data Controller and Data Subject have broken down or the correspondence suffers from repeated delays, this could place extra stresses and burdens on the Data Controller when trying to ensure compliance.
The Right of Access guidance now states:
“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request [(see recital 63, GDPR)]. However, this does not affect the timescale for responding - you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.