Welcome clarity on data subject access requests

The ICO has published detailed guidance on data subject access requests (SARs) the key features of which are summarised below.

The new guidance, coupled with a decision of the High Court in Lees v Lloyds Bank Plc [2020] EWHC 2249, shows a slight reigning-in of the widely used right for data subjects to request copies of their personal data. This right has, since the Cambridge Analytica inquiry not just been reserved for UK citizens but has applied to non-UK data subjects too. In the Cambridge Analytica case, a US citizen, David Carroll, submitted a SAR in order to find out how his personal data was being used to profile him for micro targeting in electoral campaigns. At that time, it was unclear whether the ICO would investigate requests by foreign citizens, even if they related to personal data processed in the UK. Cambridge Analytica thought this to be the case asserting that Mr Carroll that he had no more right to submit a SAR “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”. However, the Information Commissioner confirmed that he was entitled to his personal data, thus opening the door for SARs to be used in international litigation, and making SARs commonplace in complex international disputes.

In response to the 2019 consultation on the new guidance, the ICO has implemented three key changes to clarify unclear aspects of the law.

  1. Stopping the clock for clarification: If an organisation processes a large amount of information about an individual, it may seek clarification about the information requested before responding to the request. The time limit for responding to the request is now paused until the organisation receives such clarification. This will be a welcome change allowing organisation to respond in the tight time limits set by the GDPR.
  2. Defining “manifestly unfounded or excessive” data requests: Where a SAR is manifestly unfounded or excessive an organisation can charge a reasonable fee to comply with the SAR, or alternatively it can refuse to comply. The circumstances in which a SAR will meet this criteria include (i) where an individual clearly has no intention to exercise their right of access, e.g. where an individual makes a SAR, but then offers to withdraw it in return for some form of benefit from the organisation; or (ii) where the SAR is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption e.g. targets a particular employee against whom they have some personal campaign. Of course, if an individual genuinely wants to exercise their rights, then it is unlikely that the request will be manifestly unfounded. It is important to note that a SAR will not be “manifestly excessive” simply because the individual requests a large amount of information. However, if the request largely repeats previous requests, then an organisation may not need to comply.
  3. Listing what can be included when charging a fee for excessive, unfounded or repeat requests: In most cases, an organisation cannot charge a fee to comply with a SAR however, it can charge a “reasonable fee” if the request is manifestly unfounded or excessive (see above) or if an individual requests further copies of their data following a request. The ICO has confirmed that when determining a reasonable fee, an organisation can take into account the administrative costs of: (i) assessing whether or not an organisation is processing the information; (ii) locating, retrieving and extracting the information; (iii) providing a copy of the information; and (iv) communicating the response to the individual, including contacting the individual to inform them that the organisation holds the requested information (even if it is not providing the information). The fee may also include the costs of (i) photocopying, printing, postage; (ii) equipment and supplies; and (iii) staff time. The inclusion of staff time is helpful given the intensive time costs of complying SARs. The staff time costs should be based on the estimated time it will take staff to comply with the request, charged at a reasonable hourly rate. It is the organisation’s responsibility to ensure that it charges a reasonable rate. Organisations would be well advised to establish their charging criteria now and make this available on request.

These three key changes are important tools for organisations handling SARs which can be time consuming and costly.

The High Court has added to an organisation’s arsenal by confirming in a recent decision that Lloyds Bank did provide adequate responses to a claimant’s SARs and was not in breach of its obligation to provide data.

In that case, a claimant submitted a series of SARs over a period commencing in 2017. Lloyds Bank responded to all the SARs but the claimant alleged that the bank had failed to provide data contrary to the Data Protection Act 2018 and the GDPR. The relevant legislation in place at the time of the SARs was in fact the Data Protection Act 1998, however the legislation is similar and so this decision remains useful. The court has discretion whether or not to make an order in favour of the claimant and in this case declined in the light of: (i) the numerous and repetitive SARs which were abusive; (ii) the real purpose of the SARs, being to obtain documents rather than personal data; (iii) a collateral purpose that lay behind the requests which was to obtain assistance in preventing Lloyds Bank bringing claims for possession; (iv) the fact that the data sought would be of no benefit to the claimant; (v) the failure of the possession claims from which all available avenues of appeal had been exhausted. The claim was dismissed as “totally without merit”. This is an important decision in light of the ICO’s view that SARs should be “motive blind”. The court’s decision casts doubt on that view, which may open the door to organisations examining the motive behind the SAR or in some cases arguing that a SAR is “manifestly unfounded” and not deserving of a response.