Data subject access requests – do you know the rules?Print publication
The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to a data subject access request.
The guidance clarifies that, when calculating the one-month response period, the day of receipt is to be counted as ‘day one’ not the day after receipt.
With GDPR now well-established and an increased focus on data privacy and compliance, it is important that employers have procedures in place to ensure that data subject access or rights requests are handled in accordance with the law. This is therefore a good time to train managers on how to recognise and handle requests made under GDPR and ensure compliance with the timescales involved.
As a quick reminder, employers must comply with a data subject access request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request
- any information requested to confirm the requester’s identity
- a fee (only permitted in certain circumstances)
Employers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
Employers can extend the time to respond by a further two months if the request is complex or it has received a number of requests from the individual. However, the employer must let the individual know within one month of receiving their request and explain why the extension is necessary.
We are often asked whether it is permitted to ask the individual for ID to first confirm that they are who they say they are if the employer is in doubt. The answer to this is, yes, as long as a proportionate approach is used. Advise the individual as soon as possible that more information is needed from them to confirm their identity before responding to their request. The period for responding to the request begins when the employer receives the additional information.
Where employers process a large amount of information about an individual it is acceptable to ask them for more information to clarify their request but this should be limited to information that is reasonably needed to find the personal data covered by the request. If the individual refuses to provide any additional information, the employer must still endeavour to comply with the request by making reasonable searches for the information covered by the request.
Our Regulatory and Employment teams are here to help with any questions you may have.
Please contact David Smedley or Andrew Rayment for further information.