FOIMan looks at the new draft guidance from the Information Commissioner’s Office on handling access to information requests.
As UK practitioners have struggled to get to grips with the realities of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) over the last year or so, one place they’ve been able to turn to for help has been the ICO website. The ICO’s Guide to Data Protection and its constituent parts (including the Guide to the GDPR and the Guide to Law Enforcement Processing) are invaluable tools for Data Protection Officers and others involved in implementing data protection in their organisation.
As time has gone on, the ICO has been adding to these guides with more detailed guidance on aspects of data protection. Given that the legislation is still new, there are issues that practitioners struggle with and are looking for a clear steer from the regulator on. Delegates on some of my training courses have asked regularly when they can expect help with one particular issue: how to handle access to information requests, commonly known as subject access requests (SARs).
In early December we finally got an answer. The ICO published its draft detailed guidance on SARs for consultation. The contents need to be treated with caution since its nature as a consultation document means that this is not yet the Commissioner’s final word on the aspects of SAR handling that it covers. It does however give us an indication of the ICO’s thinking, and we can look forward to the final version being published later in 2020.
Overall the guidance is a thorough examination of the subject (as its 77 pages would suggest), though practitioners won’t find an answer to every question they might have, and there are no real surprises to anyone familiar with the ICO’s existing guidance. Notably it includes:
- a section on ensuring that your organisation is able to comply with SARs, covering things like training, guidance, staffing and information management
- expanded guidance on when deadlines can be extended (including what counts as ‘complex’), ‘reasonable’ charges, and the meaning of ‘excessive’ and ‘manifestly unfounded’
- help with dealing with requests made through third parties including requests made via portals
- a more detailed (though not comprehensive) guide to the exemptions in the DPA.
The Commissioner’s consultation is open until 12 February 2020. If you’re a practitioner have a read and if you have any thoughts, consider feeding them back to the ICO.