In October the Information Commissioner’s Office published updated guidance on data subject access requests. It is now possible to “stop the clock” on the 30 day deadline to respond in circumstances where clarification is sought as to the extent of the subject access request. This will be welcome news for data controllers who, following the introduction of the GDPR in May 2018, have seen an increase in the number of requests being made. Whilst requests can be specific, often the data subject asks for “all of the information you hold about me”.
Data controllers processing a large amount of information about an individual may, if they require more information to enable them to respond to the subject access request, ask the data subject to specify the information or processing activities their request relates to before doing so. In those circumstances the deadline to respond to the subject access request is paused (known as “stopping the clock”) until such clarification is received.
The guidance states that data controllers do not need to provide the data subject with a copy of the information, or any of the supplementary information that the data controller cannot reasonably provide, unless clarification has been provided. That said:
- clarification should not be sought on a blanket basis simply to stop the clock. It should only be sought if it is genuinely required in order to respond to the subject access request and where the data controller processes a large amount of information about the data subject;
- clarification should be sought as early as possible to ensure that sufficient time remains to search and respond once that clarification has been given;
- where it is possible to provide some of the information within the original time limit then this should be the default position. This also applies to any supplementary information such as the right to complain to the ICO and other data subject rights (unless this information is contained in the organisation’s privacy notice, in which case it is sufficient to provide a copy or a link to it).
A clarification request is an optional new tool. It is up to organisations to decide whether they request clarification – provided that a large amount of information is held and it is not clear what information the data subject is requesting.
As to whether an organisation holds a large amount of information the ICO’s view is that, to an extent, this will depend on the size of the organisation and the resources available to it. A small organisation with fewer resources is more likely to be able to argue that they hold a large amount of information than a large organisation with dedicated and more sophisticated resources. It is unlikely to be reasonable or necessary for an organisation to seek clarification if their systems allow them to retrieve the relevant information quickly and easily.
Data controllers seeking clarification should inform the data subject that the clock stops from the date clarification is requested, resuming once the individual responds. They should also explain why further details are being sought. If the data subject does not respond within a reasonable period of time the controller can consider the request closed. Whilst the ICO state that a month is generally a reasonable timeframe, data controllers should take a proportionate approach and consider, for example, whether there might be accessibility issues or other reasons which might delay a response. Organisations should always ensure that they are able to justify their position to the ICO should they be asked to do so.
Finally, it is worth mentioning that it is possible to extend the time limit to respond to a subject access request by two months if the request is complex or the data subject has made a number of requests. Note that a request is not complex just because clarification is required. The ICO provide additional guidance on their website regarding complex requests.