Summary of the ICO Guidance on the Right of Access

The UK Information Commissioner’s Office (ICO) has issued new detailed Guidance on the Right of Access (Guidance). The previous Subject Access Code of Practice had been issued under the previous Data Protection Act and the ICO has announced it will be updated.

Even though there are not revolutionary differences between them, the new Guidance clarifies three key points raised:

1. Stopping the clock for clarification
2. What is manifestly excessive request
3. What can be included when charging a fee for excessive, unfounded or repeat requests

The ICO plans a suite of resources – including a simplified subject access request (SAR) guides for small businesses which picks out the key need to knows from the detailed guidance.

We are going to provide a summary of the new Guidance in this article, however, we encourage you to read the full Guidance. Some of the obvious, or well know requirements and practices are omitted.

    • SARs can be made verbally or in writing, including on social media. A request is valid if it is clear that individual is asking for their own personal data. If a SAR is made by a third party or through an online portal, it is the third party’s responsibility to provide evidence of their authority. A controller should be satisfied with the proof of the authority.

    • If the request is from a child controller should be confident, they can understand their rights before responding to them. If the child authorizes or it is in the best interest of the child, the parent or guardian can exercise the child’s right on their behalf.

    • A deadline of one month can be extended by a further two months if the request is complex or a number of requests from the individual have been received. If a controller processes a large amount of information about an individual it may ask the individual to specify the information or processing activities their request relates to, if it is not clear.

    • Controller may ask for ID documents to verify an individual’s identity. The timescale for responding to a SAR does not begin until requested information has been received. However, documents should be requested promptly.

    • “Reasonable fee” for the administrative costs of complying with a request can be requested, if the request is manifestly unfounded or excessive, or if an individual requests further copies of their data.

    • A controller should make reasonable efforts to find and retrieve the requested information. Searches that would be unreasonable or disproportionate to the importance of providing access to the information are not required.

    • If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise. On an individual’s request a verbal response to their SAR is enough, provided that their identity has been confirmed by other means.

    • Further guidance on how to provide the information securely can be found here.

    • Where an exemption applies, a controller may refuse to provide all or some of the requested information, depending on the circumstances. In addition, if the request is manifestly unfounded or excessive a controller may refuse to comply with a SAR. A detailed guidance on this can be found here.

    • If it is not possible to comply with a SAR without disclosing personal information about a third party, then a controller may refuse to do so, unless the third party consents to the disclosure or it is reasonable to comply with the request without the third party’s consent. A controller must respond to an individual whether or not third party’s data has been disclosed. This decision should be documented along with a justification. You can find more information here.

    • The exemptions are set out in Schedules 2 and 3 of the DPA 2018 and they are as follows:
        - Crime and taxation: general
        - Crime and taxation: risk assessment
        -  Legal professional privilege
        -  Functions designed to protect the public
        - Regulatory functions relating to legal services, the health service and children’s services
        - Other regulatory functions
        - Judicial appointments, independence and proceedings
        - Journalism, academia, art and literature
        - Research and statistics
        -  Archiving in the public interest
        - Health, education and social work data
        - Child abuse data
        - Management information
        - Negotiations with the requester
        - Confidential references
        - Exam scripts and exam marks
        - Other exemptions
        The ICO has two guidelines on this, available here and here.

    • There are special rules when dealing with:
        - unstructured manual records;
        - credit files;
        - health data;
        - educational data; and
        - social work data.
       Further Guidance is available here.

    • In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation.

    • A controller cannot enforce an individual to make a SAR. In certain cases it is a criminal offense. Further guidance is available here.

The full guidance can be accessed here.

Photo by Isaac Smith on Unsplash.