The UK regulator has appeared to supply readability for knowledge controllers after they ask for clarification on requests for private knowledge
New steering from the Data Commissioner’s Workplace (ICO) consists of a capability to “cease the clock” on the one-month deadline for responding to knowledge topic entry requests (SARs) whereas knowledge controllers are ready for people exercising their proper of entry to non-public knowledge to make clear their request.
The transfer by the nationwide knowledge safety authority comes as knowledge controllers have confronted a rising wave of entry requests for the reason that implementation of the Basic Information Safety Regulation (GDPR) in 2018.
The ICO not too long ago revealed its up to date guidance on dealing with SARs, following a consultation that started on the finish of 2019; it consists of welcome recommendation for knowledge controllers on dealing with SARs. In addition to providing extra element on how controllers can cease the clock, the steering gives readability on what’s a manifestly extreme request, and what may be included when charging a price for extreme, unfounded or repeat requests.
Stopping the clock is more likely to be of most curiosity to knowledge controllers that maintain a considerable amount of knowledge and usually obtain requests for “the entire info you maintain about me”.
The way to cease the clock
For those who course of a considerable amount of details about a person, and clarification is genuinely required with a view to reply to the SAR, you may ask the requester to specify the data or processing actions their request pertains to earlier than responding to the request. The time restrict for responding to the request is then paused till clarification is obtained.
The clock is stopped for the variety of days that it takes the info topic to reply. For instance, if the unique one-month deadline was 15 March, and clarification was requested on 20 February, and a response obtained on 27 February, the brand new deadline can be 22 March.
If the info topic merely repeats the request in response, or maintains a request for “the entire info you maintain about me”, you need to nonetheless adjust to their request by finishing up an affordable seek for private knowledge.
If the info topic doesn’t reply in any respect, you don’t have to supply any private knowledge and might shut the request.
Whereas clarification is probably a really helpful new device in your armoury for coping with SARs, you will need to keep in mind that:
- It’s best to ask for clarification early. For those who wait till just a few days earlier than the deadline, you’ll nonetheless solely have just a few days to seek for the info as soon as the info topic responds.
- You can not ask for clarification as a blanket coverage; it will probably solely be requested the place there’s a real want to take action and also you course of a considerable amount of details about the person.
- For those who can fairly present any of the supplementary info (equivalent to retention intervals and the suitable to complain to the ICO) with out clarification, you continue to want to take action inside the authentic one month deadline.
- The one-month deadline will also be prolonged (to a few months) if the request is advanced.