New GDPR guidance on ‘Rights of Access’ - helpful for employers when requests are received

In October 2020, the ICO published the next in its series of guidance on the General Data Protection Regulation (GDPR). The latest guide deals with ‘Rights of Access’ - the right of individuals to request and receive a copy of their personal data. The process for doing this is usually referred to as a ‘Subject Access Request’ (SAR).

The guidance is aimed at Data Protection Officers or those who have responsibility for data protection in larger organisations. In practice, the guidance will be useful for anyone dealing with SARs within their business. It also contains illustrative examples which can assist employers in dealing with more complex requests.

As well as providing a general overview of rights of access, it includes information on:

• How to prepare for and recognise a SAR
• How to respond to a SAR
• Refusal to comply with SARs
• Dealing with 3rd party information and other exemptions
• Special cases and categories of data

Some common SAR ‘problem areas’ for employers:

Can the time limit for responding be extended?

The SAR should be responded to without undue delay, and within 1 calendar month.

This can be extended by a further month where the request is complex, or the employer is dealing with a number of requests from the same person. What amounts to a ‘complex request’ will depend on the facts and circumstances of each case but can include situations involving:

• Technical difficulties in retrieving the information – for example electronically archived data.
• Applying an exemption that involves large volumes of particularly sensitive information.
• Any specialist work involved in obtaining the information or communicating it in an intelligible form.
• Needing to obtain specialist legal advice. (But if the employer routinely obtains legal advice, it is unlikely to be complex.)

A request for a lot of information does not automatically mean it is ‘complex’. Employers should be prepared to demonstrate why the request is complex in the circumstances.

Can an employer ask for SARs to be clarified and what impact does this have on time limits?

If the employer processes a large amount of information about the individual, they can ask for them to specify the information or processing activities their request relates to before responding.

Where an employer does so, this ‘stops the clock’ on the time limit for responding to the request. Employers should only do this when genuinely required to respond to the SAR and where they process a large amount of information about the individual. Whether or not the employer holds a ‘large’ amount of information will depend on their size and resources. 

Situational examples of complying with requests and clarification are provided in the guidance and are a useful reference point.

Can employers charge a fee for SARs?

It is not normally permissible to charge a fee to respond to a SAR, unless the request is manifestly unfounded or excessive, or an individual requests further copies of their data following a request. In such cases, employers may charge a ‘reasonable fee’ for their administrative costs. This can include costs of:

• photocopying, printing, postage and any other costs involved in transferring information;
• equipment and supplies (eg discs, envelopes or USB devices); and
• staff time.

If there is any duplication in effort, the individual should not be charged twice. If routinely dealing with large requests, employers should consider putting in place criteria for charging fees. In all cases, employers should be prepared to justify the cost.

When can an employer refuse to comply with a SAR?

If a SAR is ‘manifestly unfounded’ or ‘manifestly excessive’ an employer can refuse to comply.

Manifestly unfounded requests can be when the individual clearly has no intention to exercise their right of access. For example, they offer to withdraw the request in return for some form of benefit. It can also include malicious requests such as systematic requests as part of a campaign. 

Manifestly excessive requests can be requests that are clearly or obviously unreasonable. 

The context and circumstances of the request should be taken account of when considering if a request is unfounded or excessive.

What if requests contain information about other people?

There is an exemption to complying with a SAR, if doing so would disclose information which identifies a third party, except where they have consented or it is reasonable to comply without consent.

To help decide whether to disclose information relating to a third party, the guidance recommends following a three-step process:

1. Does the request require disclosing information that identifies another individual? If so, is it possible to comply with the request without revealing that information by deleting names or editing documents? If it is impossible to do this, move on to Step 2.
2. Can the third party give consent to the disclosure? This is usually an appropriate issue to consider. If it isn’t appropriate to do so, move on to Step 3.
3. Is it reasonable to disclose without consent? Depending on the type of information and duties of confidentiality it may be reasonable to disclose information without seeking consent.  The guidance contains a non-exhaustive list of factors that the employer may consider in such a case.

Whichever decision the employer reaches in the circumstances regarding information about other people, it should be communicated to the individual who has made the request.

The full guidance is available here.

The above is provided for general guidance only and employers with specific queries are encouraged to get in touch with one of our Employment team.