Data Subject Access Requests – ICO launches consultation on right of access guidance

United Kingdom

On 4 December 2019, the UK Information Commissioner’s Office (“ICO”) published a draft version of its guidance covering data subjects and their right to access information (the “New Guidance”). This more detailed New Guidance is intended to replace the initial guidance that was released by the ICO in April 2018 and, in particular, clarify or assist with issues that organisations have faced when dealing with data subject access requests (“DSARs”) since then. The ICO has invited stakeholder organisations and the general public to provide responses on the New Guidance. Set out below are areas of the New Guidance that would be relevant for public bodies to be aware of.

DSAR Response Time

One proposed change for controllers to be aware of is in respect of the time frame to respond to DSARs. Under the initial guidance, the one-month time limit to respond to the request could be paused if there was anything in the DSAR that the controller required clarification from the requester on. There were caveats to this – the controller had to flag to the requester as soon as possible that it needed more information to provide a response, and the information sought must be genuinely and reasonably needed to allow compliance. However, under the New Guidance, while controllers can still seek clarification of the DSAR from the requester, the ICO has made clear that the clock continues to run while awaiting receipt of the requested information.

Controllers can request an extension to the response time by a further two months, giving three months in total to respond. However, they are only permitted to do so where the request is complex or where multiple requests have been received from the same individual. If an extension is justified, the controller must write to the individual within one month of receipt of the request to explain why the extra time is needed. The New Guidance then gives examples of factors that may add to the complexity of the DSAR, although caveats this by saying it will be dependent on the specific circumstances of that case. While providing these examples, the ICO has avoided being too prescriptive on what will and will be deemed a complex request. It therefore remains a judgement call for organisations to make.

DSARs and Third Party Data

The New Guidance sets out a three-step approach to help organisations decide whether to disclose information to a third party. Controllers will have to ask:

  1. Does the request require the disclosure of information that identifies another individual?
  2. Has the other individual consented?
  3. Is it reasonable to disclose without consent? In the case of disclosure without consent for personal data relating to health workers, social workers or education workers, there are additional tests to be met. These tests centre on the identity of the requester, the capacity the information was given in and where the information is stored.

Much of the foundation of this test is taken from the Data Protection Act 2018 (“DPA”). However, the New Guidance also lists additional points that are likely to be relevant to a decision on whether information can be disclosed as part of a DSAR. If the third-party information is already known to the individual making the request or is generally available to the public, it is more likely to be reasonable for the organisation to disclose that information. Additionally, the need to preserve the confidentiality of a third party’s information needs to be balanced against the importance of the information to the requester – the New Guidance goes so far as to say that it may be appropriate to disclose information even where the third party has withheld consent.

Special Categories of Data

The New Guidance sets out advice on dealing with DSARs which request access to special categories of personal data. For example, there was a discrepancy between the GDPR and DPA, whereby the GDPR does not cover non-automated information that does not fall within a filing system, but the DPA states that unstructured manual information processed by public authorities constitutes personal data. The New Guidance clarifies this, stating that public authorities may have to search through these documents or records as part of a DSAR, although they are not obliged to do so where the request (i) does not contain a description of such data, (ii) where the cost of compliance would exceed £600, or (iii) where it is for certain types of information such as personnel matters in relation to service in any public authority office. For public bodies operating in the health, education and social work sectors, there is detailed information in the New Guidance about DSARs requesting health, education or social work data. This deals with the restrictions in place in respect of disclosure of such data and sets out clearly where the appropriate provisions can be found in the GDPR and the DPA.

The New Guidance is not yet in its final form, with the public consultation scheduled to close on 12 February 2020. The comments submitted by stakeholder organisations will inform the final published version of the New Guidance by highlighting areas where further clarity is sought or where there are issues that organisations feel remain unanswered. Those with any views on the New Guidance and hoping to shape the final form it will take should look to engage with this prior to the deadline – a link can be found here.