The Information Commissioner’s Office in the UK has updated its guidance on the right to access, including clarifying the circumstances in which the one-month time limit clock can be paused.
The new version of the guidance has been published following a consultation that began last December.
The guidance makes it clear that an organisation in some circumstances can ‘stop the clock’ on the required one-month time limit for responding in order to seek clarification from the individual making the request. The ICO has clarified this in the guidance following feedback from organisations that they often didn’t have enough time to respond.
The ICO warns however that organisations should not seek clarification “on a blanket basis” and should only do so if they genuinely need the clarity in order to process the SAR or if they hold a large amount of information about the subject.
The guidance provides fresh information about how to determine whether a request is ‘manifestly excessive’, and therefore not eligible for a response. The ICO says that all circumstances have to be taken into account including the nature of the information requested, the context of the request, the nature of the relationship between the organisation and the individual, whether a refusal to provide the information will damage the subject, available resources and whether the request repeats or overlaps with other requests.
The ICO also clarifies what can be taken into account when charging an administration fee for responding to excessive, unfounded or repeat requests. Controllers may take into account the costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, as well as the costs of equipment and supplies and the time required by staff to provide a response.
Anulka Clarke, Deputy Director of Regulatory Assurance at the ICO, said: “The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.”
She added that the ICO is planning to release a “suite of resources” including a simplified SAR guide for small businesses.