ICO amends guidance on GDPR compliance timescales
The Information Commissioner’s Office has amended its guidance on the timescales for compliance with data subject access requests, or DSARs, where the data controller has requested clarification.
In an unwelcome development for employers, the ICO has amended its guidance on DSARs under the General Data Protection Regulation 2018 (GDPR) so that the start of the one or three month time period for compliance (the latter time limit applying to complex requests) is no longer delayed until the data controller receives any requested clarification information from the data subject.
This is a fundamental change from the previous guidance (in place since 2018), and also the position under the old Data Protection Act (DPA), which delayed the start of the time period for compliance until the receipt of any requested clarification.
Data controllers can still ask the data subject for further information/clarification, but the clock will continue to run over this period. This creates a number of practical challenges, in particular where the DSAR is cast in broad terms and where the controller requires details of particular custodians, timeframes and keywords for the purposes of data retrieval and the conduct of electronic searches. It will also raise real issues where a data subject takes significant time to respond to a request for clarification – even though this response will be needed to shape the scope of the searches, the clock will continue to run and reduce the overall time available to complete the response in real terms.
What does this mean for employers?
The new position is also reflected in the ICO’s draft guidance on the right of access under the GDPR, which is currently subject to consultation. It is unlikely but possible that the ICO will change its stance following the consultation. However, in the meantime, when dealing with DSARs employers will need to calculate the deadline for compliance from the receipt of the DSAR (or any requested identification confirmation), and not the date of receipt of clarification/further information from the data subject.
The ICO’s draft guidance for consultation on subject access rights under the GDPR is more detailed than the guidance originally published by the ICO in April 2018. It covers topics such as finding and retrieving the relevant information, how to supply the information, manifestly unfounded requests, claiming exemptions and dealing with information about third parties. Consultation is open until 12 February 2020.