New Guidance is Published by the UK ICO on the Right of Access


The Office of the UK Information Commissioner (ICO) recently published new guidelines on the right of access under the GDPR (Article 15). Access right gives individuals the right to request and receive a copy of their personal information and other supplemental information, and helps individuals understand how and why organizations use their information.

This guide significantly expands the original ICO guide that was published in April 2018 and clarifies some important questions when processing and responding to access requests. The guidelines highlight the need for organizations to be more proactive in handling access requests and provide practical advice on how to comply with such requests. The practical advice is likely to be of particular interest to organizations that receive a large number of access requests, e.g. B. Companies with consumer contact or authorities. We’ve discussed some of the features of the updated guide below.

A proactive approach to access requests

The guidelines recognize that access requirements are sometimes difficult to identify. A person can make an access request verbally, in writing or electronically, increasingly also via social media in which an organization is present. The guidelines therefore encourage organizations to take steps to make it easier for their employees to identify the requests for receipt, including:

  • Training staff to understand what a request is or could be;
  • Develop policies and procedures for right of access and ensure that they are easily accessible to staff;
  • Appointment of a specific person or a central team to handle inquiries; and
  • Prepare a standard form that individuals can use in their inquiries.

Implementing such processes as standard practice helps organizations identify access requests at the earliest possible point in time, leaving them more time to respond. Organizations are also encouraged to keep track of active access requests and ensure that response times are being met efficiently by taking the following measures:

  • Maintaining information asset registers specifying where and how personal data is stored. An organization’s records of the processing and / or retention of data could be helpful in formulating such an asset register.
  • Keep a log of access requests and update this log to monitor progress. This should be implemented by all organizations regardless of the size and number of requirements, as a regulator may ask for the general treatment of requirements, for example if a complaint has been made by a data subject; and
  • Creation of a standard checklist that employees can use to ensure that a consistent approach is followed when answering access requests.

Taking a proactive approach will undoubtedly enable companies to better manage requests and responses, especially those organizations that receive a large number of requests. By proposing such measures, the ICO has the impression that non-compliance for reasons such as the volume of inquiries or the non-provision of all information requested by the data subject is not acceptable to the ICO. Instead, the ICO advises that organizations play an active role in ensuring that they comply with all requests received and ultimately ensure compliance with the law.

Extension of the deadline for replies

The law provides that an access request should be fully responded to within at least one month of receipt of the request or, where applicable, receipt of information requested by the organization to confirm the identity of the applicant. Organizations can add an additional two months to this response time if the request is complex or if a number of requests have been received from the individual. However, as stated in the guidelines, an organization must be able to demonstrate why they have come to such a conclusion.

Organizations are permitted by law to seek clarification on an access request if it is really necessary to respond and the organization is processing a large amount of data about the individual. The guidelines confirm that if such clarification is sought, the time limit for responding to the access request will be stopped until such clarification is received. This is known as “stopping the clock”. The watch will then resume on the day you receive clarification.

While “stopping the clock” may seem useful to organizations, the ICO specifically warns against doing it as a tactic to delay a response or deter future inquiries. Instead, organizations are expected to be transparent and cooperative with individuals, for example through:

  • Advice and support for the individual in clarifying his request;
  • Keep a record of conversations with a person about the scope of their request; and
  • explain to the individual why they are seeking clarification of their identity or the scope of the request.

Make reasonable efforts to obtain information

Organizations should use reasonable efforts to find and retrieve the information requested, which the ICO believes is a “high” expectation of the GDPR. However, organizations are not required to conduct searches that would be inappropriate or disproportionate. To determine this, the ICO should indicate that an organization should consider: the circumstances of the request; Difficulty in finding information; and the fundamental nature of the right of access. The determination will of course be very different between the organizations and the means at their disposal, but experience has shown that the proportion of inquiries that meet the criteria “inadequate” or “disproportionate” is very low.

The guide explains certain types of records / locations that organizations often need to consider when fulfilling an access request, such as: B. archived information or information in emails. The ICO’s overall message in this regard is that, in general, all records should be considered when attempting to honor a request. The ICO suggests organizations to design, implement and maintain information management systems that are appropriate for the organization to efficiently meet the requirement.

What is “obviously unfounded” and “obviously exaggerated”?

Organizations can refuse to grant an access request if it is “obviously unfounded” or “obviously excessive”. The instructions expand the meaning of these terms.

A request can be obviously unfounded if:

  • The person has no intention of exercising their right of access, e.g. B. withdraws the application immediately if it benefits from the organization. or
  • The request is malicious and is used to harass and disrupt an organization, e.g. B. the person systematically and frequently various requests as part of a targeted campaign to disrupt the organization.

A request can be obviously unreasonable if it is “clearly or manifestly inappropriate” it should be based on whether the request is proportionate when it is reconciled with the burden or cost of processing the request. The mere fact that the person is requesting a large amount of information does not in itself mean that the request is excessive. All the circumstances of the request should be considered when analyzing whether it is proportionate, including:

  • the type of information requested;
  • the context of the request and the relationship between the organization and the individual; and
  • the available resources of the organization.

The guidelines specifically state that these examples and circumstances are not intended to be conclusive. The context in which each request is made is critical and must always be considered and recorded. If an organization believes that a request is manifestly unfounded or inappropriate, it should ensure that it has a strong justification for why it is considering it and be ready to demonstrate this clearly to the individual and the ICO.

Closing points

The guidelines contain some welcome suggestions based on experiences and questions received since the implementation of the GDPR. The overall message of the guidelines is clear: Organizations should ensure that they are fully prepared to meet and efficiently respond to all requests received within the time limits set by law, and that they implement practices and procedures to do so.