ICO Tightens Screw on DSAR Deadlines, Possibly (UK)
Unheralded and unannounced, recently revised GDPR guidance from the Information Commissioner's Office (ICO) removed one small source of comfort for employers facing Data Subject Access Requests (DSARs) from employees. It used to say that the 30-day time limit was paused, the clock stopped, if you asked the requester for information to clarify his DSAR and it was not provided. This was not carte blanche to delay things – the request for clarification had to be made as soon as possible (i.e. not Day 29) and it had to relate to information you genuinely and reasonably needed in order to comply with the DSAR. Still, it was better than nothing in a tight corner. You also had to do your best to comply in a timely manner with those parts of the DSAR not covered by your request for further information.
However, it has now gone. The revised guidance still allows you to seek clarity from the maker of the DSAR but makes it clear that the clock is not stopped pending receipt of it. There is no explanation of why the original guidance has been changed already, but there it is. What is odder still is that the text forming the revised guidance seems to be the same as that which is currently out for consultation. Whether the online guidance has been amended prematurely in error or the consultation exercise is felt so unlikely to make any difference that publishing that text now is seen as a safe enough bet is unclear.
Other related changes do little to assist. “You cannot ask the requester to narrow the scope of their request”, it says. Clearly that is not correct. You absolutely can ask that he does so, but cannot make him do it nor use his not doing so as a reason for delay or doing less than your best to comply with his request. By contrast, the guidance does give a green light to asking not that the request be narrowed, but that the employer be provided with additional details which will help it locate the requested information, such as when and/or the context in which their data may have been processed. This may be a distinction without a difference, however, since we are told that if the requester doesn’t provide that information, there is still nothing you can do about it. Never fear, the ICO’s guidance has a solution – “You should ensure that you have appropriate records management procedures in place to handle large requests and locate information efficiently“. Well, that’s fine, then.
So none of the changes represent any good news or practical assistance to employers. However, do note one piece of the guidance which has not changed, i.e. that the search you make must be “reasonable”. If you have tried in correspondence with the requester to make it easier for you to find him what he wants and he has not played ball, the ICO’s view of what is “reasonable” for those purposes must almost inevitably be affected. If you asked him to identify specifically what he was after or where to find it and he could help but doesn’t, his later complaint to the ICO that it wasn’t provided is unlikely to get a very sympathetic hearing.
On the other hand, if it was data which you could or should reasonably have been able to find without that enquiry, hard luck – especially as cut down in this way, the right to seek clarification will only avail an employer if it is used reasonably and selectively. There is no harm in responding as a matter of course to DSARs with an enquiry as to whether there is anything specific the employee is looking for, but you cannot use that courtesy question to buy any grace with the ICO. That would take a request a great deal more focussed on a particular problem of logistics or investigation which the employee could help you address to your mutual benefit. In any case, where there is less than full disclosure made in response to a DSAR the burden is going to be on the employer as data controller (and processor) to show that it has done its best to comply, and in that respect, there has been no change. While the alteration to the guidance initially seems significant – before you could delay and now you can’t – there may be less to it in practical terms than meets the eye.