The Information Commissioner's Office (ICO) has published finalised guidance on subject access requests (SAR). The guidance was initially put out for consultation in December 2019 and resulted in requests for additional content and examples as well as greater clarification. The guidance now includes greater clarity on the following three key points:
- Stopping the clock for clarification of a SAR - A SAR must be complied with at the latest within one month of receipt of the request. The ICO has now clarified that, in certain circumstances, the clock can be stopped whilst the organisation waits for the requester to clarify their request.
- What constitutes a manifestly excessive request - additional guidance has been added and the ICO has broadened the definition.
- What can be included in the administration fee when charging for excessive, unfounded or repeat requests - the guidance sets out that a reasonable fee may include the costs of staff time based on the estimated time it will take staff to deal with the specific request, charged at a 'reasonable hourly rate'.
The ICO say that they are planning a suite of resources - including a simplified SAR guide for small businesses which will pick out the key 'need-to-know' from the detailed guidance. This would be very welcome given the length of the detailed guidance.