Data protection: New guidance for employers handling data subject access requests
The General Data Protection Regulation (GDPR) came into force in May 2018 and since then the Information Commissioner’s Office (ICO) has been monitoring how businesses store and protect data. It’s fundamental for businesses to protect employee and customer data from corruption, compromise or loss and if businesses are neglectful, not only can it have a real impact on the company’s reputation but they can also face significant fines. For example, the ICO recently issued a £20 million fine to British Airways for a data breach that affected over 400,000 of its customers and a £18.4 million fine to Marriott International for failing to keep customer data secure.
The ICO recently published guidance for businesses on rights of access of individuals to their personal data i.e. employees or customers requesting access to the data a business holds about them. This guidance doesn’t change the existing law; however, it provides clarification for employers on how to deal with data subject access requests (DSARs).
There are three key issues addressed in the guidance:
Stopping the clock for clarification
When an individual makes a DSAR the process is often quite complex right from the start, i.e. from the initial task of understanding exactly what data it is that the individual is asking for. Despite this, an employer will normally have a time limit of just one month from the date of the DSAR to provide the required data. Before publishing it’s latest guidance, the ICO received a lot of feedback from organisations highlighting the problem of when further clarification was needed from an individual making a DSAR, this would frequently mean there wasn’t then enough time left to allow the organisation to respond within the initial one-month period.
Under the new guidance, employers who process a large amount of data about an individual may ask them to clarify the information or processing activities that their request relates to if it is unclear in the original request, before responding. Where this occurs, the one-month time limit can now be paused while an employer awaits clarification from the individual – this is called ‘stopping the clock’.
A request for clarification should be made promptly and without undue delay after receiving a DSAR to enable an employer to focus on searching for the information the individual wants at the earliest possible stage and ensure that there is sufficient time to respond.
The ICO is clear, however, that if some information can reasonably be provided without clarification, then this should still be provided within the normal one-month time limit.
In all circumstances, an employer will need to explain to the individual why it is seeking further details and be able to justify its position to the ICO, if asked.
Determining when a DSAR is manifestly excessive
Where a DSAR is manifestly excessive, this can be a justification for an employer in charging a fee or even refusing to respond to the request. The new guidance confirms that the assessment of whether a DSAR is manifestly excessive requires an employer to consider whether the request is clearly or obviously unreasonable. In doing so, the ICO recommends taking all the circumstances of the DSAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the request.
This includes factors such as:
- the nature of the requested information;
- the context of the request, and the relationship between the employer and the individual;
- the employer’s available resources;
- whether the request largely repeats previous requests;
- whether it overlaps with other requests (but doesn’t relate to a completely separate set of information).
A request is not necessarily excessive just because the individual requests a large amount of information. If appropriate, an employer may consider asking the individual for clarity to help it locate the information the individual wants and better assess whether it can make reasonable searches for the information (see stopping the clock for clarification).
Charging a fee
The information requested in a DSAR should be provided by an organisation without charging a fee, however, a reasonable fee can be charged to cover administrative costs where the request is manifestly excessive (see above), unfounded or is a repeat request.
The ICO guidance explains that a reasonable fee may include the costs of staff time (charged at a reasonable hourly rate), copying, postage and other expenses involved in transferring the data to the individual, including, for example, the costs of envelopes, USB devices etc.
Any fee charged must be justifiable in the event that an individual complains to the ICO. Therefore, to ensure that any fees are charged in a reasonable and consistent way it is advisable to establish a set of criteria for charging fees explaining:
- the circumstances in which a fee is charged;
- standard charges (detailing for example, photocopying costs, hourly rates for staff time); and
- how a fee is calculated, explaining what costs are taken into account.
The newly published guidance is intended to reduce the response times associated with complex requests and therefore should be welcomed by employers. Further resources to assist with responding to DSARs, including a guide for small businesses, are being developed by the ICO.
We will watch out for these so we can update clients in due course. For further information and guidance, please get in touch.
We have considerable experience of advising employers on how best to respond to DSARs. Please view our factsheet for practical advice and the steps to follow to be compliant.