The ICO has been doing more below the radar changes to its guidance on data subject access requests.
In July, the ICO made unannounced changes to its DSAR guidance in relation to the calculation of the 30 day period and interpretation of the phrases "excessive" and "manifestly unfounded". This time it is on whether the clock starts before or after the controller has received any information necessary to clarify the scope of a request, and handling requests made on behalf of others.
Here's what the ICO previously said:
Can we clarify the request?
If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information. However, if an individual refuses to provide any additional information, you must still endeavour to comply with their request ie by making reasonable searches for the information covered by the request.
But now the guidance makes clear that the clock starts right away:
Can we clarify the request?
If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding - you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests (see 'Can we extend the time for a response?').
You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for 'all the information you hold' about them. If an individual refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.
According to the Internet Way Back Machine, this change was made at some point between 1 October and 16 December 2019.
What is the practical implication of this change?
Does this make a practical difference?
Possibly not. The old guidance only permitted clarification to find information. It was not a back door to refusing to respond until the scope had been narrowed. The controller still only needs to carry out reasonable searches, and so if the controller does not have enough information to find what the requester is looking for then this will be a factor in determining what is reasonable.
It is also still clear that the clock doesn't start until controllers have information necessary to verify the identity of the applicant. That ID information may be relevant in terms of finding the information that the requester is seeking.
However, it does mean that controllers now need to work on the basis that clarifications may not be provided and not delay in starting the work necessary to process a request. That will require changes to internal processes and workflows.
What else has changed?
The ICO has also amended its guidance in relation to handling requests made on behalf of others. The new language is less ambiguous and puts a greater onus on controllers to verify the authority of a third party to make a request. In the example about a building society receiving a DSAR from the daughter of an elderly customer, the ICO now says that it is "necessary" to require formal authority, even though the building society may know the daughter and her relationship to her mother.
If you would like to discuss the changes in the guidance, or your organisations processes for handling data subject access requests, please get in touch.
Thanks to my Employment law colleague Erin McLafferty for spotting this.