The Information Commissioner's Office (ICO) has published new guidance for organisations on how to deal with subject access requests.
The guidance provides clarification on the circumstances in which a subject access request (SAR) may be deemed complex, enabling a period of one month from receipt of the SAR to effectively stop the clock while a data controller waits for the individual to clarify their request.
It confirms that, in determining whether a SAR is manifestly excessive the data controller has to consider whether it is clearly or obviously unreasonable. All the circumstances of the SAR should be taken into account and used to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.
The guidance also states that when the data controller charges a reasonable fee for excessive, unfounded or repeated SARs this fee can include the costs of staff time, copying, postage, and other expenses involved in transferring the data to the individual.
In addition to this guidance the ICO is developing other resources such as a guide for small businesses to aid the understanding of SARs.
