ICO revises its guidance on time limits for responding to DSARs

United Kingdom

Recently, the Information Commissioner’s Office (ICO) updated its guidance on time limits for responding to a data subject access request (DSAR) and other individual rights requests.  In practice this means that the day of receipt (regardless of whether or not this is a working day) is “day one” for the purpose of calculating when the requisite deadline expires.

The time limit for responding to a DSAR and taking action in relation to other individual rights under the current data protection legislation is “without undue delay and in any event within one month of receipt of the request”. In certain circumstances, this may be extended by up to two months, but the employer must notify the data subject that they need an extension, together with the reasons for it, within the initial one month period - for more details on the circumstances in which extending the time limit for responding can potentially be justified, see our earlier update here.

Until recently, the ICO guidance stated that the one month period started the day after receipt of the DSAR, expiring on the corresponding date of the next month (or, if there is no corresponding date, the last day of the month). This meant that a request received on 1 August had to be complied with by no later than 2 September, or a request received on 31 October had to be complied with by no later than 30 November.

However, the ICO recently clarified that following a CJEU ruling, this period should now be measured from the day of receipt. This means that a request received on 1 August must now be complied with by no later than 1 September. The corresponding date rule remains the same. This minor but crucial change means data controllers could lose another day of the period for compliance, particularly if the request is received late in the day. However, it is important to remember that while in practice we all work to these deadlines, the underlying obligation is, in any event, to respond “without undue delay” and in some circumstances an employer may be expected to respond well before the deadline.

Helpfully, there have been no other changes to the ICO guidance on timescales; if the deadline falls on a weekend or a public holiday, the response still falls due on the next working day.

Employers should ensure internal processes for responding to DSARs and other individual rights reflects the up to date guidance from the ICO.