The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

21 October 2020

The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information.

More and more people are waking up to the power of their personal data, and are exercising their rights. That’s why, as an organisation, it’s important that you know how to deal with a subject access request (SAR) effectively and efficiently.

The right of access detailed guidance that we’re publishing today will help you to do that.

When this guidance initially went out for consultation, back in December 2019, we received over 350 responses from organisations of all sizes and sectors. The responses were generally positive.

However, there were calls for additional content and examples, and it was also obvious that there was an appetite for more support and clarification on some aspects of the law that aren’t so clear-cut.

It showed how seriously organisations take their data protection obligations – and we’ve responded by providing clarity on the three key points raised.

  1. Stopping the clock for clarification – one issue which we received a lot of feedback on was that seeking clarification on requests often didn’t leave enough time to respond. As a result, our position now is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
  2. What is a manifestly excessive request – to combat confusion over when to class a request as manifestly excessive, we’ve provided additional guidance to help and broadened its definition.
  3. What can be included when charging a fee for excessive, unfounded or repeat requests – we’ve taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up SARs, and have updated what organisations can take into account when charging an admin fee.

We’ve also made many more changes and added additional content to the version that we previously published.

We know it’s a difficult time. We hope this guidance is going to be useful for organisations across the board, especially during the COVID-19 pandemic, as it will give them more insight into how to deal with SARs and access the information they need quickly and easily.

For extra support we’re planning a suite of resources – including a simplified SAR guide for small businesses which picks out the key ‘need-to-knows’ from the detailed guidance.

The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.

We’re here to help with your queries about subject access requests - you can contact us via our helpline or through live chat.

Anulka Clarke is Acting Director of Regulatory Assurance at the ICO.