The UK Information Commissioner’s Office (ICO) has recently published new guidance on the right of access under the GDPR (Article 15). The right of access gives individuals the right to request and obtain a copy of their personal data, as well as other supplementary information, and helps individuals understand how and why organisations are using their data.
This guidance significantly expands upon the original ICO guidance published in April 2018 and clarifies some important issues in dealing with and responding to access requests. The guidance highlights the need for organisations to take a more proactive approach in dealing with access requests, and provides practical advice on how to comply with such requests. The practical advice is likely to be of particular interest to organisations that receive a large number of access requests, such as consumer facing businesses or public authorities. We have discussed below some of the features of the updated guidance.
A proactive approach towards access requests
The guidance acknowledges that access requests may, at times, be difficult to identify. An individual may make an access request verbally, in writing or electronically, including increasingly via social media where an organisation has a presence. The guidance therefore encourages organisations to take steps to make it easier for their employees to identify the requests on receipt, including:
- training staff to recognise what is, or could be, a request;
- developing policies and procedures on the right of access and ensuring they are readily available to staff;
- appointing a specific person or central team to handle requests; and
- preparing a standard form for individuals to use when making their requests.
Implementing such processes as standard practice will assist organisations in identifying requests for access at the earliest opportunity thereby providing them with greater time to respond. Organisations are also encouraged to keep on top of active access requests and ensure response times are met with efficiency by taking actions such as:
- maintaining information asset registers which state where and how personal data is stored.An organisation’s records of processing and/or data retention policy could be useful in formulating such an asset register;
- maintaining a log of access requests and updating it to monitor progress.This is something that should be implemented by all organisations, regardless of the size and number of requests, as a regulator may ask about how requests are handled generally if, for example, a complaint has been made by a data subject; and
- producing a standard checklist that staff can use to ensure a consistent approach is taken to responding to access requests.
Taking a proactive approach will undoubtedly allow organisations to better manage requests and responses, particularly those organisations that receive a large volume of requests. Further, by suggesting such measures, there is an impression from the ICO that non-compliance for reasons such as volume of requests, or not providing all information requested by the data subject, will not be acceptable to the ICO. Instead, the ICO is advising that organisations take an active role in ensuring they comply with all requests received, and ultimately, therefore ensuring compliance with the law.
Extending the deadline to respond
The law states that an access request should be responded to in full within at least one month of receipt of the request or, if applicable, receipt of any information requested by the organisation to confirm the requester’s identity. Organisations can extend this response time by a further two months if the request is complex or where a number of requests have been received from the individual, but as the guidance notes, an organisation must be able to demonstrate why they have come to such conclusion.
Organisations are also permitted, by law, to seek clarification about an access request where it is genuinely required in order to respond and the organisation processes a large volume of data about the individual. The guidance confirms that where such clarification is sought, the time limit for responding to the access request is paused until such clarification is received. This is referred to as “stopping the clock”. The clock then resumes on the date you receive clarification.
Whilst “stopping the clock” may seem useful for organisations, the ICO expressly warns against doing so as a tactic for delaying a response or deterring future requests. Instead, organisations are expected to be transparent and cooperative with individuals by, for example:
- providing the individual with advice and assistance to help them clarify their request;
- keeping a record of any conversation with an individual about the scope of their request; and
- explaining to the individual why they are seeking clarification of their identity or the scope of the request.
Making reasonable efforts to retrieve information
Organisations should make reasonable efforts to find and retrieve the requested information, which the ICO notes to be a “high” expectation by the GDPR. However, organisations are not required to conduct searches that would be unreasonable or disproportionate. To determine this, the ICO states than an organisation should consider: the circumstances of the request; any difficulties involved in finding the information; and the fundamental nature of the right of access. The determination will of course vary greatly between organisations and the means available to them but based on experience, the proportion of requests that satisfies the “unreasonable” or “disproportionate” criteria is very low.
The guidance discusses specific types of records/locations that organisations commonly have to consider when complying with an access request e.g. archived information or information within emails. The overarching message from the ICO in this respect is that, generally speaking, all records should be considered when seeking to comply with a request. The ICO suggests organisations design, implement and maintain information management systems that are suitable for the organisation to comply with the request efficiently.
What is “manifestly unfounded” and “manifestly excessive”?
Organisations can refuse to comply with an access request if it is “manifestly unfounded” or “manifestly excessive”. The guidance expands upon the meaning of these terms.
A request may be manifestly unfounded if:
- the individual has no intention to exercise their right of access, e.g. they immediately withdraw the request if in return for some benefit from the organisation; or
- the request is malicious in intent and is being used to harass and disrupt an organisation, e.g. the individual systematically and frequently sends different requests as part of a targeted campaign to cause the organisation disruption.
A request may be manifestly unreasonable if it is “clearly or obviously unreasonable”, which should be based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. The mere fact that the individual requests a large amount of information does not in itself mean the request is excessive. All of the circumstances of the request should be taken into account when analysing whether it is proportionate, including:
- the nature of the requested information;
- the context of the request, and the relationship between the organisation and the individual; and
- the available resources of the organisation.
The guidance expressly states that these examples and circumstances are not designed to be conclusive; the context in which each request is made is key and must always be considered and recorded. If an organisation believes a request is manifestly unfounded or unreasonable, it should ensure it has a strong justification for why it considers so, and be prepared to clearly demonstrate this to the individual and the ICO.
The guidance provides some welcome suggestions which appear to be based on experience and queries received since the implementation of the GDPR. The overall message of the guidance is clear: organisations should ensure they are fully prepared to comply and respond efficiently to all requests received in the timeframes established by the law and should implement practices and procedures to do so.