40: Subject access requests: detailed guidance published
On 21 October 2020, after consultation, the ICO issued its detailed rights of access guidance. The key takeaways from this for trustees are set out below.
As data controllers, trustees must respond to data subject requests without delay and at the latest within one month of receipt of the subject access request. The guidance clarifies amongst other things that the ‘clock’ can be stopped to await clarification from individuals when processing a large amount of information about the individual and a specific clarification is genuinely required.
If a request is ‘manifestly unfounded or excessive’, trustees may be able to charge a fee for their administrative costs or refuse to respond under the GDPR. The ICO has shed more light on what is ‘manifestly excessive’ and clarified that what should be considered is firstly whether the request is clearly or obviously unreasonable and this should be based on whether the request is proportionate when balanced against the burden or costs involved in dealing with the request. This involves taking into account all the circumstances of the request. The ICO points out that a request isn’t necessarily excessive just because the individual requests a large amount of information. In terms of what can be taken into account when determining what admin fee can be charged for one of these requests, the ICO guidance has provided more detail on this. Things which might be taken into account include assessing whether or not you are processing the information, the costs of locating, retrieving and extracting the information, and communicating the response to the individual.
Trustees who are faced with a data subject request from a member and who consider that the request may be excessive or unfounded should consider taking advice on whether any response they put together or fee they wish to charge is compliant with the ICO’s guidance.
Trustees may want to consider undertaking a review of their subject access request policy and protocol. There have been other important developments since the GDPR came into force in 2018 which are likely to mean a pension scheme’s data protection documentation requires a more general update, we can help with this.
We will be hosting a webinar on 25 March 2021 discussing subject access requests and more. Details will be published closer to the time.