The Information Commissioner's Office (ICO) has amended its General Data Protection Regulation: Right of access guidance. Specifically relating to the timescales for compliance with data subject access requests (DSARs) where the data controller has sought clarification of the request.
The previous guidance (published in April 2018) stated that the start of the one month time period for compliance with the DSAR would be paused until the data controller was in receipt of any requested information/clarification. This is no longer the case.
The updated guidance now states that data controllers can request further information/clarification but that the timescale for responding to the DSAR is not affected by this. The data controller must still respond to the DSAR within one month, unless it intends to rely on the extended timescale which can apply where multiple or complex DSAR's have been received. This gives the data controller a further two months to respond to the DSAR. If a data controller wishes to rely on the multiple or complex extension it must inform the data subject within month of receiving the DSAR and explain why the extension is necessary.
The revised guidance continues to state that where the data controller has requested confirmation of identity from the data subject, the timescale for responding to the DSAR will not start until this confirmation is received.
These timescale adjustments may pose some challenges for those responding to DSARs where the precise scope of the information sought by the DSAR is unclear.
Requests for clarification will often need to be made where the DSAR is cast in broad terms and the data controller requires details of particular custodians, relevant timeframes, and keywords for the purposes of data retrieval and electronic searches. If the data subject takes time providing the requested detail then considerably reduces the remaining time in which the data controller has to collate a response and comply with the DSAR.
The revised short-form guidance is consistent with what is set out in the ICO’s more detailed Right of Access guidance, issued in draft in December 2019. This is currently the subject of a consultation that closes on 12 February 2020. Therefore, whilst employers with concerns about the modified position that the ICO is now taking on timescales can still submit their views for consideration as part of that consultation.
It seems unlikely (although theoretically possible) that the ICO will change its stance, not only because its position is now duplicated in both forms of the guidance, but also because it seems to more accurately to reflect the intention of Article 12 of the General Data Protection Regulation (GDPR) 2016/679.
Going forward, employers should:
We anticipate that more data controllers will now claim the two month extension, to ensure that they have sufficient time to respond should clarification not be given, or if the requester responds by insisting that they want 'all' of their personal data. In this regard, the new guidance is helpful because it suggests that the ICO are taking a broad view of what counts as a 'complex' request, making it easier for data controllers to claim an extension.