Menu Close

ICO guidance published – right to access; simplifying subject access requests (SARs)

ICO guidance published – right to access; simplifying subject access requests (SARs)

Background

  • This guidance was published by the Information Commissioner’s Office (ICO) on 21 October 2020 and is important for all organisations
  • https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/
  • The ICO states that this guidance is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations
  • This now-published right-of-access detailed guidance by the ICO was initially circulated for consultation in December 2019; the ICO received over 350 responses from organisations of all sizes and sectors
  • Those responses were generally positive but there were also calls for additional content and examples as well as an appetite for more support and clarification on some aspects of the law that are not clearly defined
  • The ICO has now updated its draft proposals to provide further clarity

Impacts

The right of access is a fundamental right under data protection law.  All organisations must know how to deal with a subject access request (SAR) effectively and efficiently.

This guidance discusses the right of access in detail.  It provides greater detail beyond the Guide to Data Protection to help people to apply the right of access in practice.

The contents of this guidance include the following headings:

  • What is the right of access?
  • How should we prepare?
  • How do we recognise a subject access request (SAR)?
  • What should we consider when responding to a request?
  • How do we find and retrieve the relevant information?
  • How should we supply information to the requester?
  • When can we refuse to comply with a request?
  • What other exemptions are there?
  • Are there any special cases?
  • Can the right of access be enforced?
  • Can we force an individual to make a SAR?

Timeline with relevant dates to be logged on regulatory calendar

  • ICO guidance was published on its website on 21 October 2020

Next steps

All organisations should fully understand data protection requirements and the ways in which they apply to their business activities, clients and employees.

Further information is available from the ICO or its website.

If anyone has specific questions or a need for direct help, contact our experts too.