The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February 2020.
Importantly, the ICO recognises some of the issues that businesses are facing in relation to DSARs, in that the guidance:
- Explains when a request may be considered complex. The guidance states that a large volume of data may add (emphasis is ours) to the complexity of a request, but notes that the volume of data alone is not a reason by itself to consider a DSAR complex;
- Provides greater clarity on what a business can take into consideration when it is considering the monetary value of a fee. For example, photocopying and printing are generally valid administration costs, but a business cannot charge for the time taken to deal with the request;
- Includes a section on what businesses should do when a request involves information about another identifiable individual. It provides further guidance on the DPA exception relating to third-party data; and
- Contains some practical guidance about the DPA exceptions, such as negotiations and management information.
Whilst this is a valuable update from the ICO, which might provide some helpful additional information, it should be noted that it is only a draft for consultation. The ICO is seeking views from stakeholders and the public about the proposed guidance. In particular, it wishes to understand what specific issues businesses have faced in responding to DSARs since the GDPR was implemented in May 2018. If you are interested in responding, please use this link.