News and Events

ICO Right of Access detailed guidance

  • Posted

Last week the ICO published the Right of Access detailed guidance. The guidance doesn’t alter the existing law but rather provides clarification for employers on how to deal with subject access requests ('SAR').

Following consultation, there are three main areas that the guidance addresses:

1) What amounts to a ‘manifestly excessive’ SAR?

The guidance confirms that it is a balancing act and the employer must determine whether the SAR is “clearly or obviously unreasonable”. This involves assessing whether the response required is “proportionate when balanced with the burden or costs involved”. Employers should consider all the circumstances, including (but not limited to): the nature of the information, the context of the request, whether not complying with the SAR could cause substantive damage to the employee, your available resources etc.

You can view the full list and further details here.

2) What is a ‘reasonable fee’ for complying with a manifestly excessive or unfounded SAR?

A ‘reasonable fee’ can include: the cost of staff time, photocopying, printing, postage, envelopes, USB sticks etc. Employers can take into account the administrative cost related to assessing the information, locating it, copying it and communicating with the employee.

You can see the complete guidance here.

3) Stopping the clock when clarification of the SAR is required.

An employer can potentially ‘stop the clock’ on the 30 day time limit for compliance with an SAR, if clarification is genuinely required and if the organisation processes a large volume of information about that employee.

The ICO has provided several useful examples, which you can view here.