This new consultation was launched yesterday (4th December 2019).

The guidance is much needed as the previous guidance – the Subject Access Code of Practice – referred to the pre-GDPR position. There are no big surprises in the new guidance but I note some interesting and helpful points:

Requests made under FOI by mistake

There is clear confirmation that if a requester makes a request for their own personal data and mistakenly does this under the FOI regime then it should be treated as a subject access request but there is no need to issue a formal FOI refusal notice.

Normal Course of Business Requests

The ICO recognises the concept of ‘ normal course of business requests’. This has been the case for some time in the FOI context but this guidance extends the concept to requests which would normally be assumed to fall under the GDPR right of access. The guidance says ‘For example, if an individual requests copies of letters which you have sent them previously, it is unlikely that you need to deal with this as a formal SAR [subject access request]’

Complex Requests

There is a helpful explanation of when a request does and does not count as ‘complex’. This is important because if a request is complex then the time for responding may be extended.

‘The following are examples of factors that may in some circumstances add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.

• Technical difficulties in retrieving the information – for example if data is electronically archived.

• Applying an exemption that involves large volumes of particularly sensitive information.

• Clarifying potential issues around disclosing information about a child to a legal guardian.

• Any specialist work involved in redacting information or communicating it in an intelligible form.

Requests that involve a large volume of information may add to the complexity of a request. However, a request is not complex solely because the individual has requested a large amount of information.

Also, a request is not complex just because you have to rely on a processor to provide the information you need in order to respond.

Bulk requests

The ICO makes it clear that the deadline for responding to requests stands even where there are bulk requests, although it does suggest that there may be some leniency at the enforcement stage saying that it won’t take enforcement action if it would be unreasonable to do so.

Back ups and deleted items

The draft guidance also goes into some detail on back up records and deleted items which will be of use to those dealing with the practicalities of searching for information.

‘The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, there is no ‘technology exemption’ from the right of access. You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.

Search mechanisms for electronic archive and back-up systems might not be as sophisticated as those for ‘live’ systems. However you should use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes.’

The information on deleted records is on page 25 of the draft guidance. It is not summarised here as a summary may be misleading. The key point is that there may be information which the organisation thinks is ‘deleted’ which nevertheless can be retrieved and will fall within the scope of a subject access request.

The consultation closes on 12 February 2020.