A change in approach to subject access? ICO Publishes Updated DSAR Guidance

Summary

  • The ICO (the UK privacy regulator) has updated its guidance on data subject access rights, and the revised guidance appears to be aimed at giving organisations practical advice on managing and responding to subject access requests by including further detail and examples.
  • Although the revised guidance has not changed dramatically, it is fair to say that there are a few elements of the revised guidance which offer a glimmer of hope for organisations currently struggling to effectively manage the burden of DSAR compliance, and increasingly frustrated regarding the use of DSARs as a ‘fishing expedition’ for disgruntled employees.
  • In certain circumstances, the guidance provides that organisations can now stop the clock when clarifying access requests with data subjects.
  • Additional guidance is now also available on what constitutes a ‘manifestly excessive’ request (i.e. when an organisation can refuse to comply with a subject access request).
  • The ICO has also widened the circumstances in which organisations are permitted to charge a reasonable fee for DSAR responses.
  • Interestingly, the guidance contains a new section on ‘enforced’ subject access requests (sometimes seen in the employment context as a tool to carry out background checks), and concludes that in some circumstances these can result in a criminal offence being committed.

Continue reading