The Information Commissioner’s Office (ICO) has changed their guidance on subject access requests (SARs), as well as other data subject requests relating to their individual rights such as rectification, erasure and data portability. We have referred to them throughout as “data subject requests” or “DSRs”.
So what’s changed?
Under the previous guidance, the recipient of a DSR had to respond within 1 month, starting from the day after they received it.
However, under the new guidance, the recipient must respond to a DSR with 1 month, starting from the day of receipt.
When do the changes take effect from?
The change in guidance was announced on 15 August 2019, and is effective immediately. This gives recipient organisations 1 day less to comply with each request, even if they are mid-way through responding to a DSR. This change has the potential to catch people out, particularly those dealing with complex and time-consuming DSRs, or who have coded response times into their systems.
So how long does that mean I have to respond?
The “1 month” time limit is not a set number of days – the deadline to respond is the corresponding calendar day in the next month. For example, if you receive a DSR on 3 September, you must respond to it by 3 October (whereas under the previous guidance meant a deadline of 4 October).
As previously, if there is no corresponding calendar date because the following month is shorter, the deadline will be the last day of the following month. A DSR received on 30 January would therefore be due on either 28 or 29 February, depending on the year. If the deadline falls on a weekend or public holiday, the ICO guidance allows you until the next working day to respond.
Why the change now?
According to the ICO’s announcement, the update is based on a ruling by the Court of Justice of the European Union (CJEU) from 2004, in Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees. It is unclear why a ruling from 2004 has resulted in a change to guidance in 2019 – the ICO did not wish to expand on the announcement when we asked – but although the case related to early marketing premiums for veal calves (which isn’t a usual data protection topic), it does include a ruling on the interpretation of time limits under European law (namely European Regulation 1182/71).
Data breaches: Is personal data held in your systems secure?
European Commission launches process on personal data flows to UK
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…
The Court of Appeal has held that an individual can claim for compensation under section 13 of the Data Protection Act 1998 where a breach of the DPA results in a “loss or diminution of a right to control” their personal data. A claim of compensation would not require the…