Right of Access

  • Posted

Further to my recent blog, which considered the thorny issue of Data Subject Access Requests (DSAR), the Information Commissioners Office (ICO) has published some useful guidance for employers on how to deal with such requests. Whilst the content is not entirely new, it does build upon existing guidance.

“Manifestly excessive”

In particular, when considering what amounts to a “manifestly excessive” request, an employer must determine whether the request is “clearly or obviously unreasonable” on the basis of whether it is “proportionate when balanced with the burden or costs involved in dealing with the request”. The guidance lists the circumstances that should be taken into account, including:

  • the nature of the request information
  • the context of the request, and the relationship between the business and the individual
  • whether a refusal to provide the information may cause substantial damage to the individual
  • the resources available
  • whether the request largely repeats previous requests and a reasonable interval has not elapsed
  • whether it overlaps with other requests

“Reasonable fee”

Where a request is manifestly unfounded or excessive, or an individual requests further copies of their data following a request, a reasonable fee for administrative costs may be charged. However, what is a “reasonable fee”?

When defining “reasonable”, consideration should be given to:

  • assessing who is processing the information
  • locating, retrieving and extracting the information
  • providing a copy of the information
  • communicating the response to the individual

A reasonable fee may include the costs of:

  • photocopying, printing, postage and any other costs involved in transferring the information to the individual
  • equipment and supplies, such as discs, envelopes, USB sticks
  • staff time (charged at reasonable hourly rates, subject to any specified limits by the Secretary of State)

How to prepare

Given the increase in the number of claims issued in the tribunal, and the heightened awareness of rights that individuals possess, it’s anticipated that the number of DSAR will rise. As such, we would advise employers to be ready to deal with such requests and ensure they have the necessary policies and procedures in place to deal with them.

In order to be fully prepared, the ICO has listed some simple steps that should be taken:

  • Awareness – ensure individuals are aware of how they can make a request
  • Training – ensure all staff are trained so that they recognise a DSAR. Specific training should be given to those required to deal with such requests
  • Guidance – ensure staff are aware of your policies and procedures and links to any relevant sites such as the ICO
  • Staff to handle request – appoint person or team to deal with request and ensure they know how to process it
  • Asset registers – these registers state where and how information is stored – ensure they are maintained as these assists in locating the information quickly
  • Checklists – a standard checklist will ensure DSARs are dealt with consistently and fairly
  • Logs – these may include copies of information given in response to a request and detail data withheld and the reasons for this
  • Retention and deletion policies – these are important to ensure information is kept no longer than necessary and reduces the volume of information to be reviewed
  • Security – this is important to ensure information is sent securely thus minimising the potential for any breach

Should you require any assistance dealing with a DSAR, or require the review or implementation of your policies and procedures, then please do not hesitate to contact our Data Protection team.