ICO Changes Timescales on Responding to a SAR

In relation to a Data Controller’s obligations to respond to a Subject Access Request, time is increasingly short.  The Information Commissioner’s Office (ICO) has recently updated their guidance on the timescale for completing a subject access request (SAR) when a data controller requests clarification from the data subject as to the data sought. Click here to view the updated guidance.

The start of the one month time period is no longer paused until the data controller receives the requested information. Likewise, the extended timescale (of a further two months) for responding to complex or multiple SARs is no longer paused. The new timescale will run from the data of receipt of the SAR or, if later, upon receipt of proof of identification. The ICO clarified in August 2019, following a ruling by the Court of Justice of the European Union, that “one month” means from the date of receipt of a SAR. For instance, a SAR received on 15 September should be responded to by 15 October.

The ICO’s guidance on the right of access now says:

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests.”

This further clarification from the ICO demonstrates the increasing burdens placed upon Data Controllers and reinforces the importance of having robust systems and procedures in place to be able to respond promptly to a SAR.

For more information please get in touch with one of our information law experts:

• James Cassidy
• Lauren Danks
• Julianne Kirkpatrick