How can we help?


ICO Updates Right of Access Guidance

Following extensive consultation that began in December 2019, the Information Commissioner’s Office (ICO) has finally published their updated guidance on the Right of Access, namely the ability for an individual to submit a Data Subject Access Request (DSAR) to a processor of their personal data.

A fundamental and absolute right under data protection legislation, the Right of Access is a powerful tool for the individual and can be an extremely costly burden for an organisation. Listening to the 350 consultation responses from organisations, the ICO has sought to clarify some of the more antagonistic aspects of the DSAR process.

Yesterday’s press release states that the ICO has made many “changes and added additional content to the version already published” but nevertheless pinpointed three distinct areas that were in desperate need for clarification.

1. Stopping the clock for clarification 

Prior to the guidance update, the time limit for responding to a DSAR was not suspended whilst the organisation or processor sought clarification from the individual submitting the request. The position has now changed and, in certain circumstances, an organisation may ask the requestor to specify the information their request relates to before responding to the request. Once clarification has been submitted, the one month deadline for providing a response is effectively paused until the individual responds.

This will be met with great fanfare by organisations and employers. Previously, it was virtually impossible to compile a general request for “all my personal data” made by an individual employed by an organisation for a number of years within the original deadline of one month from the date the organisation receives the DSAR.

The guidance states that clarification should only be sought where “it is genuinely required in order to process the DSAR; and you process a large amount of information about the individual”. A “large amount of information” is not defined, however; the guidance suggests that this will depend on the organisation’s size and resources, and their ability to actually locate and retrieve all of the requested information by conducting a “reasonable search.” Emphasis here should be placed on the word “reasonable.” Once again, the ICO is reminding organisations that responding to a DSAR is not a “leave no stone unturned” exercise.

The “reasonable” approach is further detailed in the examples chosen by the ICO. One features an ex-employee requesting “all the information you hold on me.” The example goes on to state that it is not clear from the request what the individual wants and that the correct approach is to explain to the individual that “whilst they are entitled to request all the information held about them, the [organisation] is only required to conduct a reasonable search of their records…[and therefore] the individual may only receive some of the information held about them.”

Many organisations may think that the guidance has not gone far enough. Unfortunately for them, it stresses that there is no obligation on individuals to clarify their request and that any refusal to do so means the original request must still be complied with; albeit with “reasonable searches.”

Finally, where clarification has been sought from the requestor but the organisation does not receive a response after a reasonable period of time (one month), the organisation can consider the matter closed.

2. Manifestly excessive right of access requests

Previously loosely defined and the cause of great confusion, the ICO has now provided further clarity as to what a “manifestly excessive” DSAR might be. A “manifestly excessive” request will be “clearly and obviously unreasonable”, according to the guidance. Once a request is deemed “manifestly excessive,” the organisation does not have to comply with it. Factors that organisations should consider are as follows:

–       The nature of the requested information;

–       The organisation’s available resources;

–       The damage a refusal to provide information to the requestor or acknowledge the DSAR may cause; or

–       The context of the request, and the relationship between you and the individual.

The final two factors should be of particular interest to employers/organisations. These could be viewed as an ICO acknowledgement of the use of DSARs in legal proceedings, whether by a company attempting to subdue an ex-employee by burying them in paper work, or by a long-standing ex-employee making a general request for all of their personal data for the sole reason that this will be a significant financial burden on the company.

Fundamentally, organisations dealing with requests should remember that just because an individual’s request is for a large amount of information, it will not automatically be considered manifestly excessive. Any and all reasons as to why an organisation believes the request is manifestly excessive should be considered with the view in mind that they will be scrutinised by an ICO representative.

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

ICO has made many “changes and added additional content to the version already published”

3. Charging a fee for excessive, unfound or repeat requests

The ability for an organisation to charge a fee for responding to manifestly unfounded, excessive or repeat requests rather than refusing to comply, has also been given further clarity in the updated guidance. The guidance states that a fee should take into account any administrative costs, such as locating the information, liaising with the individual, providing the information to the individual. Importantly, the guidance clarifies that the reasonable fee could include staff time, i.e the estimated time it will take staff to comply with the request, charged hourly at a reasonable rate.

The guidance is careful not to state limits on fees, although section 12(1) of the Data Protection Act 2018 does give the Secretary of State this discretion. This update is again an endorsement by the ICO of the vast costs that can be attributed to DSARs. Any fee should be requested in advance and should detail how the fee is calculated. Crucially, the guidance provides the organisation with the discretion to ignore the request until the fee has been received. Whilst the criteria for charging fees should be available on request, there is no obligation for the organisation to make it available online. Organisations should expect to be able to robustly justify any associated fees to the ICO.

As above with a request for clarification, where a request for a fee has been submitted and is not received within one month, the organisation can treat the request as closed.

The updated guidance therefore shows that the ICO has understood the concerns of organisations. The ability to clarify, the ability to charge a fee, and a clearer definition of “manifestly excessive” will come as a great relief to organisations so often put on the back foot by DSARs. The administrative burden on organisations remains high but, recognising the increasing value of personal data, the guidance does not diminish or negate the importance or data transparency. However, the new measures will go some way to mitigating unnecessary requests, facilitating better dialogue between the requestor and the requestee, and closing requests where dialogue has ceased.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

About this article

Read, listen and watch our latest insights

  • 16 May 2024
  • Immigration

What Employers need to know about Biometric Residence Permits

Biometric Residence Permits (BRPs) are biometric immigration documents that are issued to non-EEA nationals and EEA nationals, who have been granted permission to stay in the UK.

  • 14 May 2024

Clarkslegal’s London team moves to new Chancery Lane office

The London office of Clarkslegal has relocated to Chancery House, on Chancery Lane. The staff is enthusiastic about the relocation because Chancery Lane has a longstanding association with the legal profession in London.

  • 10 May 2024
  • Employment

New duty on employers to prevent sexual harassment – coming October 2024

The Worker Protection (Amendment of Equality Act 2010) Act 2023 is due to come into force in October 2024.

  • 09 May 2024
  • Employment

Labour Party Employment Law Proposals – Promises of further consultations and a softer approach

The Prime Minister recently announced a raft of changes, to be implemented in the next parliament, aimed at reducing the number of people who are economically inactive due to illness.

  • 09 May 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series – part 1

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent in October 2023 and marked a pivotal moment in corporate governance and transparency.

  • 07 May 2024
  • Employment

Changes to TUPE rules from 1 July 2024

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’) aim to safeguard employees’ rights on the transfer of a business or on the change of a service.