The Information Commissioner’s Office recently updated a number of sections in its guidance on dealing with data subject requests, such as data subject access requests and requests for rectification or erasure.
The updated guidance relates to:
- how “one month” is calculated;
- what constitutes a “manifestly unfounded” request; and
- what constitutes an “excessive request”
Calculating one month
Under Article 12 of the GDPR, controllers must generally comply with data subject requests without undue delay and in any event within “one month” of receipt of the request.
Previously, the ICO had said that the period started on the day after the request. If a request is received on 16 August, then the response is due no later than 17 September.
Under the ICO’s new guidance, the time period now commences at the point the request is received. If a request is received on 16 August then the response must be provided no later than 16 September.
The revised guidance is intended to bring the ICO’s guidance into line with that issued by the European Data Protection Board, which in turn is based on a 1971 EU Regulation on calculating time periods and a European Court of Justice case from 2004.
There is no change to the guidance that if the period expires at the weekend or on a public holiday then controllers have until the end of the next working day to respond.
Controllers should ensure that their internal procedures and systems are amended to reflect the revised guidance.
Manifestly unfounded requests
If a request from a data subject is “manifestly unfounded”, controllers have the right to either charge a reasonable fee or refuse to comply with the request.
The ICO’s guidance gives some examples of when a request may be manifestly unfounded:
- the individual “clearly” has no intension to exercise their right of access and is instead using it to try and get some other benefit in return for withdrawing it
- the request is “malicious in intent” and is being used to “harass” an organisation
The ICO considers that the following may be examples of requests that are malicious or intended to harass:
- the individual has explicitly states that they intend to cause disruption
- the request makes “unsubstantiated accusations” against the controller or specific employees
- the individual is targeting a particular employee against whom he or she has a “personal grudge”
- the individual systematically sends different requests to the controller as part of a campaign (for example once a week), with the intention of causing disruption.
It is unclear what is intended by “unsubstantiated accusations”, as in many cases the data subject may not be able to properly substantiate a claim until it has received a response to its DSAR. The ICO gives the example of an individual repeatedly submitting requests for rectification after an organisation has previously investigated and told the individual that the data held is accurate. This suggests that “unsubstantiated accusations” should be interpreted narrowly.
Each of these examples suggest that the primary purpose of the request is to cause disruption or malice, rather than to exercise the right for the purpose of understanding or verifying the personal data that the controller holds.
Each case will depend on its facts. There must also be something that makes it clear or obvious that the request is unfounded.
Under GDPR, controllers can also charge for or refuse to comply with requests that are “excessive”.
The ICO’s guidance states that a request may be excessive if:
- it repeats the substance of previous requests and a reasonably interval has not elapsed; or
- it overlaps with other requests
As with manifestly unfounded requests, whether the exemption applies will depend on the particular circumstances of the request. In particular, determining a “reasonable interval” will depend on the nature of the data and the purposes of the processing and how often the data is altered.
The guidance also explains that a request will not be excessive simply because the individual has requested a large amount of information or has asked for further copies of information requested previously.
In relation to requests for large amount of information, the controller should consider asking for more information to help it locate the information that the individual wants to receive.
In relation to requests for further copies of data under a data subject access request, Article 15(3) states that the controller may charge a reasonable fee.
Refusing or charging for a request
If is for the controller to demonstrate that a request is manifestly unfounded or excessive. Organisations should not have a blanket policy for refusing certain types of request. Each request needs to be considered on a case by case basis.
If a controller decides to charge for or refuse a request on the basis that it is excessive, then the controller should clearly document the basis of that decision.
The controller should inform the individual of its decision without undue delay. That response should:
- provide the reasons for deciding to apply a charge or refuse a request
- inform the individual of his or her right to make a complaint to the ICO or other supervisory authority
- inform the individual of his or her ability to seek to enforce their rights through a judicial remedy
Where can I find the updated guidance
You can access the ICO’s updated guidance on the ICO’s website.
If you would like to discuss the ICOs’ updated guidance, or your internal policies and procedures for handling data subject requests under GDPR, please get in touch.
On August 16, 2019