What should we consider when responding to a request?
In more detail
- How long do we have to comply?
- Can we extend the time for a response?
- When is a request complex?
- Can we clarify the request?
- Can we charge a fee?
- Do we need to make reasonable adjustments for disabled people?
- Can we ask for ID?
- What if the individual mentions other rights?
- How should we deal with bulk requests?
- Do we still need to comply if the requester dies before the response is provided?
How long do we have to comply?
You must comply with a SAR without undue delay and at the latest within one month of receipt of the request or within one month of receipt of:
- any information requested to confirm the requester’s identity (see ‘Can we ask for ID?’); or
- a fee (only in certain circumstances – see ‘Can we charge a fee?’).
You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
Yes. You can extend the time to respond by a further two months if the request is:
- complex; or
- you have received a number of requests from the individual – this can include other types of requests relating to individuals’ rights. For example, if an individual has made a SAR, a request for erasure and a request for data portability simultaneously.
You should calculate the extension as three months from the original start date, ie the day you receive the request, fee or other requested information.
If you decide that it is necessary to extend the time limit by two months, you must let the individual know within one month of receiving their request and explain why.
When is a request complex?
Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another – the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.
The following are examples of factors that may, in some circumstances, add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.
- Technical difficulties in retrieving the information – for example if data is electronically archived.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice. If you routinely obtain legal advice (for example, where lawyers are responsible for responding to, or reviewing SARs), it is unlikely to be complex.
- Searching large volumes of unstructured manual records (only applicable to public authorities).
Requests that involve a large volume of information may add to the complexity of a request. However, a request is not complex solely because the individual requests a large amount of information.
Also, a request is not complex just because you have to rely on a processor to provide the information you need in order to respond.
Can we clarify the request?
Yes. If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’.
This means that you do not need to provide the individual with a copy of the information, or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.
You should not seek clarification on a blanket basis. You should only seek it if:
- it is genuinely required in order to respond to a SAR; and
- you process a large amount of information about the individual.
It is up to you whether you request clarification of a request – as long as you are satisfied that you hold a large amount of information, and it is not clear what information the individual is requesting. You are not required to do so, and you may choose to perform a reasonable search instead. Please see ‘What efforts should we make to find information?’ for more information on what is a reasonable search and to what extent you must search for information.
Whether you hold a large amount of information about an individual will, to an extent, depend on your organisation’s size and the resources available to you. The volume of information held may be less of an issue for a big organisation with significant dedicated resources available to respond to a SAR. However a smaller organisation, processing the same amount of information but with fewer and less sophisticated resources at their disposal, is more likely to be able to argue that they hold a large amount of information.
Another factor to consider is whether, due to its volume, you are unlikely to be able to locate and retrieve all of the requested information by performing a reasonable search of the information you hold in relation to the individual.
Essentially, it is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.
You can ask the requester to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely dates of when you processed it. However, you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them. If an individual responds to you and either repeats their request or refuses to provide any additional information, you must still comply with their request by making reasonable searches for the information.
Example
An individual writes to their local GP practice and asks for ‘all the information you hold about me.’ The practice employed the individual as a receptionist for a number of years and they are currently registered as a patient. As the individual is now a carer for their elderly parent, the practice also holds personal data relating to them within their parent’s file.
The practice is of the view that they process a large volume of information about the individual. However, it is not clear from the request what information the individual wants. If the practice performs a reasonable search of their records, they will be able to provide some of the information held about the individual, but would need to perform a much more extensive search in order to provide all the information they hold.
In these circumstances, it is reasonable to ask the individual to clarify their request. The practice should explain to the individual that whilst they are entitled to request all the information held about them, the practice is only required to conduct a reasonable search of their records. This means that the individual may only receive some of the information held about them. It is important to explain to the individual that by clarifying their request, the practice will be able to focus their searches on locating the specific information that the individual wants.
The individual could clarify the request by, for example, asking for details of their employment from 1993 to 2008; their medical records which relate to an accident in 2018; and ‘everything else you hold about me’. The practice should focus their searches on the first two enquiries and then perform a reasonable search for the rest of the information.
It is likely that you will be able to provide certain information without seeking clarification, although this may depend on the circumstances. For example, in many cases you will be able to provide a general confirmation that you hold personal data about the individual. In addition, you should be able to provide some of the supplementary information set out in Article 15(1) of the UK GDPR, in particular details of:
- the individual’s right to request rectification, erasure or restriction, or to object to processing; and
- the individual’s right to lodge a complaint with the ICO or another supervisory authority.
If you can reasonably provide any of the supplementary information without clarification, you should provide it within one month. If your privacy notice already contains this supplementary information, it is sufficient to provide the individual with a link to it.
Example
A supermarket receives a SAR from a long-standing employee for all the data the supermarket holds about them. The employee has recently had a complaint made about them by another employee.
The supermarket asks the employee if they only want information relating to the complaint or if the employee is looking for information between particular dates. The supermarket also asks if the employee would like information unrelated to their employment, eg information linked to the employee’s reward account as a customer.
Until the supermarket receives clarification, they will be unable to perform a reasonable search, or provide a copy of the information, as they do not know what information the request relates to. Furthermore, they will not be able to provide some of the supplementary information, including the purposes of processing, categories of personal data and the retention period. However, they can provide some information, including details of the individual’s right to lodge a complaint with the ICO. The supermarket sends the individual a copy of their privacy notice as it already contains these details.
You should ensure the process of seeking and obtaining clarification is quick and easy for the individual, and as far as possible you should provide advice and assistance to help them clarify their request. You should explain that the clock stops from the date that you request clarification and will resume once the individual responds. You should also specify whether the individual needs to reply by a certain time.
Where possible, you should contact the individual in the same format they made the request, eg if they have emailed the SAR, you should email them to ask for clarification.
If you receive a request where it is genuinely unclear whether an individual is making a SAR, then the time limit does not begin until you have clarified whether the individual is making a SAR, and what personal data they are requesting. In such cases, you are expected to contact the individual as quickly as possible (eg by phone or email where this is appropriate). You should keep a record of any conversation with an individual about the scope of their request and the date when you sought and received any further explanation.
In all circumstances, you should explain to the individual why you are seeking further details and be able to justify your position to the ICO, if asked to.
When you ask for clarification, the timescale for responding will stop until the requester clarifies the request and will resume on the date you receive clarification from the requester. You should calculate the timescale as follows:
- When you receive a request, you should calculate when the response would normally be due. See ‘How long do we have to comply?’
- If you have requested clarification, you may extend this time limit by the number of days that you stopped the clock.
Example
If you receive a request on 14 May, the time limit starts from the same day. You will have one month to reply which means you should respond by or on 14 June.
However, if you ask for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the requester provides you with clarification on 18 May, the timing will resume on that date.
The clock was therefore stopped from 15 May until 18 May. This means that you can extend the original one month deadline by three days and you should provide a response by or on 17 June.
You should request clarification promptly and without undue delay after receiving the request. This will enable you to focus on searching for the information the individual wants at the earliest possible stage and ensure that you have sufficient time to respond.
Example
An organisation receives a request on 19 June. As the equivalent date in July falls on a Sunday, the organisation has until Monday 20 July to comply.
The organisation waits until 15 July to ask for clarification. The individual responds on 16 July which means that the original deadline can only be extended by one day. The response is due by Tuesday 21 July.
However, the organisation is unable to comply by the deadline as they did not leave themselves enough time to search for the information after obtaining clarification.
If it only becomes apparent during the course of a search that you need further information in order to respond, you should record why it was not possible to request clarification at an earlier stage.
If you seek clarification and receive it on the same day, the clock will not stop – you should calculate the extension to the time limit in terms of days, not hours.
Example
If you receive a SAR on 1 July, request clarification on 2 July at 00:00 and receive clarification later that day at 23.59, you cannot stop the clock and extend the time limit by one day. The original deadline of one month will still apply.
The clock only stops where you seek clarification about the information requested. It does not apply if you ask for clarification on any other matter, for example, the format of the response.
Example
An individual requests a copy of their medical records from 5 February 2001 until 9 August 2007. They specifically ask that the practice forwards the records by email. However, due to security concerns, it is not possible to email the records but the practice is able to provide the individual with remote access to their information. The practice decides to ask the individual whether they are happy with this.
The clock does not stop when they ask for clarification and the usual time limit of one month still applies. Since the time limit is not paused whilst they wait for a response, the practice should begin searching for information as soon as possible.
Where you seek clarification, but do not receive a response, you should wait for a reasonable period of time before considering the request ‘closed’. While one month is generally reasonable, you should adopt a proportionate and reasoned approach. If you believe that an individual might have difficulty in providing additional details within a specified timeframe, you should try and accommodate the individual as much as possible. For example where complex issues are involved or when there are accessibility issues.
If you need to request both clarification and proof of ID, you should do so as soon as possible. You should not wait until the individual provides clarification before asking for ID documents, unless there is a risk of disclosing personal data to the individual before you have checked their identity. You must not deter or delay individuals from exercising their subject access rights.
You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests (see ‘Can we extend the time for a response?’). However, a request is not complex just because you need to seek clarification. For further information on complex requests, see the earlier section, ‘When is a request complex?’.
Can we charge a fee?
In most cases, you cannot charge a fee to comply with a SAR.
However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if:
- it is manifestly unfounded or excessive; or
- an individual requests further copies of their data following a request.
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request. For information about when a request may be manifestly unfounded or excessive, please see ‘When can we refuse to comply with a request?’.
When determining a reasonable fee, you can take into account the administrative costs of:
- assessing whether or not you are processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the individual, including contacting the individual to inform them that you hold the requested information (even if you are not providing the information).
As there may be substantial overlap across these activities, you should ensure that the fee you charge is reasonable and that you do not ‘double-charge’ the individual. For example, the process of locating, retrieving and extracting information may be performed in one action, depending on the context in which you hold the information and the nature of the search you perform.
A reasonable fee may include the costs of:
- photocopying, printing, postage and any other costs involved in transferring the information to the individual (eg the costs of making the information available remotely on an online platform);
- equipment and supplies (eg discs, envelopes or USB devices); and
- staff time.
You should base the costs of staff time on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. Section 12(1) of the DPA 2018 allows for the Secretary of State to specify limits on the fees that controllers may charge to deal with a manifestly unfounded or excessive request by way of regulations.
However, at present there are no regulations in place. As such, it is your responsibility as a controller to ensure that you charge a reasonable rate.
You should ensure that you charge fees in a reasonable, proportionate and consistent manner. Therefore, it is good practice to establish an unbiased set of criteria for charging fees which explains:
- the circumstances in which you charge a fee;
- your standard charges (including a costs breakdown where possible eg the costs per A4 photocopy); and
- how you calculate the fee – explaining the costs you take into account including the costs of staff time.
Your criteria should be clear, concise and accessible. You should make this criteria available on request, but you do not need to publish it online.
When requesting a fee you should explain the costs to the individual. You should include a copy of this criteria in your request for a fee and explain any charge that is unclear (see ‘Do we need to explain the information supplied?'). You should also advise the individual if you intend to charge a fee even if you are not providing the information.
You must be able to justify the costs you have charged in the event that an individual complains to the ICO.
If you choose to charge a fee, you do not need to comply with the request until you have received the fee. However you should request the fee promptly and at the latest within one month of receiving the SAR. This means you must request the fee as soon as possible. You must not unnecessarily delay requesting it until you are nearing the end of the one month time limit.
If you are unable to request the fee as soon as reasonably possible, you should document the reasons why this was not possible and be able to provide your reasons to the ICO, if asked. You should not ask for a fee as a way of extending the period of time you have to respond to the request.
You should allow the individual a reasonable period of time to respond to your request for a fee. It is generally reasonable to close the request if you do not receive a response within one month, although what is reasonable also depends on the circumstances.
Do we need to make reasonable adjustments for disabled people?
Yes. Some disabled people may experience communication difficulties, and may therefore have difficulty making a SAR. You have a legal duty to make reasonable adjustments if they wish to make a request. If the request is not straightforward, you should document it in an accessible format and send it to the disabled person to confirm the details of the request.
What is a reasonable adjustment will depend on the specific needs of the individual. Before responding to a SAR you should talk to the person to find out how best to meet their needs. This may be by providing the response in a particular format that is accessible to the person, such as large print, audio formats, email or Braille. If an individual thinks you have failed to make a reasonable adjustment, they can make a claim under the Equality Act 2010 or the Disability Discrimination Act 1995 (NI). Further information about your legal obligations and how to make effective reasonable adjustments is available from the Equality and Human Rights Commission or from the Equality Commission for Northern Ireland.
Can we ask for ID?
Yes. To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that:
- you know the identity of the requester (or the person the request is made on behalf of); and
- the data you hold relates to the individual in question (eg when an individual has similar identifying details to another person).
You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.
Example
You have received a written SAR from a current employee. You know this employee personally and have even had a phone conversation with them about the request. Although your organisation’s policy is to verify identity by asking for a copy of a utility bill, it is unreasonable to do so in this case since you know the person making the request.
You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.
However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.
How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.
Example
An online retailer receives a SAR by email from a customer. The customer has not used the site for some time and although the email address matches the company’s records, the postal address given by the customer does not. In this situation, before responding to the request it is reasonable to gather further information, which could simply be to ask the customer to confirm other account details, such as a customer reference number.
The level of checks you make may depend on the possible harm and distress that inappropriate disclosure of the information could cause to the individual concerned.
Example
A GP practice receives a SAR from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requester is the right patient. In this situation, it is reasonable for the practice to ask for more information before responding to the request. The potential risk to the former patient of sending their health records to the wrong person is high, so the practice is right to be cautious. They could ask the requester to provide more information, such as a passport or driving licence or another document confirming their identity.
When you receive a SAR, you should determine what information you require to verify identity and explain to the individual what they need to provide. You will sometimes need to request more information than usual, depending on the circumstances. You should not request ID documents if you are aware that it might not be sufficient, or if you believe that you will need to request further proof at a later stage.
Example
A local authority is aware that a father and son living at the same address have the same name – John Smith. When they receive a request from a John Smith at this address, it is reasonable for them to request proof of identity that reveals the requester’s date of birth, even if they would not usually ask for ID which confirms date of birth.
The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly. This means you must request the documents as soon as possible. You must not unnecessarily delay requesting the documents until the end of the one month time limit.
If the requested information is not sufficient and you need to take further steps to verify the individual’s identity, the timescale for responding begins once you have completed the verification. However, this only applies in exceptional circumstances, and generally the timescale for responding to a SAR begins once you receive the requested information. Please see ‘How long do we have to comply?’ for more information about timescales.
For example, the ID documents may not be sufficient if an individual supplies information which raises doubts about their identity, or you have reasonable concerns that the ID is fraudulent or the individual has obtained it fraudulently.
Example
After a company has received a SAR, they ask for proof of ID. However, when this is provided the name on the ID document is different from the name they have on record for the individual concerned, and the company cannot be certain that they are the same person. In this situation, it is reasonable for the company to ask for further proof of the individual’s identity by asking for alternative ID or evidence that explains why the names are different. The timescale does not begin until they have received sufficient information to verify the requester’s identity.
Whilst you do not need to keep copies of ID documents, it might be helpful to keep a note of:
- what ID documents the individual provided;
- the date you verified them; and
- details of who in your organisation verified them.
Before supplying any information in response to a SAR, you should also check that you have the correct details to send the response (eg the correct email address).
What if the individual mentions other rights?
If you have received a number of simultaneous requests from an individual, which relate to other rights under the UK GDPR (eg the right to erasure and the right to data portability), you should deal with each request separately. You should refer to our published guidance relevant to each of the rights they want to exercise. However, certain steps will be common to each request, for example:
- establishing proof of ID;
- ensuring that a third party has authority to act on behalf of the data subject; and
- determining what information the request relates to.
If you receive a number of requests from an individual relating to their UK GDPR rights, you may be able to extend the time limit to respond by a further two months. See ‘Can we extend the time for a response?’ for further information.
How should we deal with bulk requests?
Depending on the size of your organisation and the nature of your business, you may receive a number of SARs in a short period of time. In the financial services sector, for example, it is not uncommon for claims management companies to make bulk requests on behalf of multiple individuals.
You must consider each SAR within a bulk request individually and respond appropriately. The ICO acknowledges the potential resource implications of this duty but recommends you bear in mind the following principles when dealing with high volumes of SARs:
- A SAR made as part of a bulk request has the same legal status as an individual making a SAR.
- The purpose for which an individual makes a SAR does not affect its validity, or your duty to respond to it (unless it is a manifestly unfounded or excessive request).
- If a third party makes a request on behalf of an individual, the third party’s behaviour should not be taken into account in determining whether a request is manifestly unfounded or excessive.
- You must satisfy yourself that the third party is authorised to make the request.
- You must satisfy yourself as to the identity of the individual concerned.
- You must respond to the request even if you hold no information about the individual (your response may obviously be very brief in such cases).
In considering a complaint about a SAR, the ICO will have regard to the volume of requests received by an organisation and the steps they have taken to ensure they deal with requests appropriately, even when facing a high volume of similar requests. The organisation’s size and resources are also likely to be relevant factors. As we explain in ‘Can the right of access be enforced?’, the ICO has discretion as to whether to take enforcement action, and we would not take such action if it is clearly unreasonable to do so.
Do we still need to comply if the individual dies before we provide a response?
No. The definition of personal data covers information which relates to a living individual. If you receive a SAR, but are aware that the individual has died before you have provided the response, you are not obliged to respond to the request because the data ceases to be personal data once the individual has died.
It is important to note that this does not mean that from the moment of a person’s death, any information relating to them is freely available to anyone requesting access to that information. You need to consider other legal rules protecting a deceased person’s information, such as the common law duty of confidentiality.