What do we need? Clarification! When do we need it? Now!
You may recall from part one of this blog that I’d emailed the Information Commissioner’s Office (ICO) asking for clarification as to what’s deemed excessive and what’s considered a reasonable fee. Well, I’m still waiting for them to reply, but the automated response did state it could take two weeks.
However, given the number of questions and comments and the level of disgruntled PMs out there, I thought I’d try another approach. This time, I used the ICO Live Chat service and within minutes I was chatting to an adviser.
The virtual conversation went as follows:
ICO: Good afternoon, how can I help you?
Me: Hi, I would like some clarification regarding subject access requests
ICO: Yes, how can I help?
Me: What is classed as manifestly unfounded, excessive or repetitive?
ICO: This is not determined in the act; it will be down to the data controller to assess whether to apply this exemption
Me: So, for example, if it is deemed that anything up to 10 pages is reasonable, but over 10 pages is excessive or repetitive, it would be fine for data controllers to charge a fee for copying?
ICO: Again, this would depend on the individual request; there is nothing that covers amounts of data
Me: It is not unusual to receive requests for copies of records (paper records) which are between 50 and 100 sheets, if not more. I want to be able to produce a statement that states that anything over a set amount is deemed excessive and a fee will apply. Would this be in line with the GDPR?
ICO: As before, what is excessive is not defined under the act; however the test would be if this is brought to us as a complaint by a requester, the ICO would then make an assessment based on the individual case itself
Me: Are there plans to clarify this rather ambiguous area of the Regulation?
ICO: There will be further guidance on this, similar to the code of practice under the DPA. However I do not know when this will be available. A lot of this guidance will be based on test cases as mentioned
Me: Thank you for your advice today.
Me: Sorry, just one final question: If guidance is based on test cases, will those involved in the ‘test cases’ be liable to fines etc. if the ICO upholds a complaint?
ICO: Again, every case is assessed individually. I would advise that you have a look at our current guidance on the right of access: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ and consider what is reasonable
Me: Thank you.
Not quite the clarification I was looking for as it’s now evident that the responsibility rests with the data controller (the practice) to determine what is deemed excessive. So it appears we’re going to play a game of ‘hurry up and wait’ or should that be a game of cat and mouse – where the ICO is the cat and practices are the mice?
I can sense the level of frustration increasing as you read this. Believe me, I was very disappointed in the reply, as it didn’t provide the clarification requested. So let’s move on to the hyperlinked guidance, with a glimmer of hope remaining… but please don’t shuffle to the edge of your seat just yet!
I quote from said guidance:
You can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
request a “reasonable fee” to deal with the request; or
refuse to deal with the request.
In either case you need to justify your decision.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
Note the “If you consider” opening of the second sentence. Really! We all have different opinions, don’t we? What I consider excessive or repetitive could be different to what any of you deem it to be!
We could run a poll to see what people deem to be excessive; is it 10 or more sheets of paper or is it possibly 25 sheets of paper or more? In my humble opinion, anything over a single sheet is repetitive, but perhaps I’m being pedantic… I wonder why? But the ball lies in your court; if your practice (as data controller) deems the request to be repetitive in nature and excessive, you can request a reasonable fee. Please post comments as to what you think is reasonable.
I really do wish some clarity had been given – a simple answer to my logical question – but no, the ambiguity remains.