New guidance from the Information Commissioner's Office (ICO) includes an ability to "stop the clock" on the one-month deadline for responding to data subject access requests (SARs) while data controllers are waiting for individuals exercising their right of access to personal data to clarify their request.
The move by the national data protection authority comes as data controllers have faced a growing wave of access requests since the implementation of the General Data Protection Regulation (GDPR) in 2018.
The ICO recently published its updated guidance on handling SARs, following a consultation that began at the end of 2019; it includes welcome advice for data controllers on handling SARs. As well as offering more detail on how controllers can stop the clock, the guidance offers clarity on what is a manifestly excessive request, and what can be included when charging a fee for excessive, unfounded or repeat requests.
Stopping the clock is likely to be of most interest to data controllers that hold a large amount of data and typically receive requests for "all of the information you hold about me".
How to stop the clock
If you process a large amount of information about an individual, and clarification is genuinely required in order to respond to the SAR, you can ask the requester to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is then paused until clarification is received.
The clock is stopped for the number of days that it takes the data subject to respond. For example, if the original one-month deadline was 15 March, and clarification was requested on 20 February, and a response received on 27 February, the new deadline would be 22 March.
If the data subject simply repeats the request in response, or maintains a request for "all of the information you hold about me", you must still comply with their request by carrying out a reasonable search for personal data.
If the data subject does not respond at all, you do not have to provide any personal data and can close the request.
While clarification is potentially a very useful new tool in your armoury for dealing with SARs, it is important to remember that:
- You should ask for clarification early. If you wait until a few days before the deadline, you will still only have a few days to search for the data once the data subject responds.
- You cannot ask for clarification as a blanket policy; it can only be requested where there is a genuine need to do so and you process a large amount of information about the individual.
- If you can reasonably provide any of the supplementary information (such as retention periods and the right to complain to the ICO) without clarification, you still need to do so within the original one month deadline.
- The one-month deadline can also be extended (to three months) if the request is complex.
If you would like any assistance or advice on handling SARs, Osborne Clarke offers a comprehensive and cost-efficient SAR service which helps data controllers manage and meet their obligations. Feel free to get in touch with one of our experts, listed below.