The ICO has revised its guidance on the time scales for responding to subject access requests (SARs) and other data subject rights requests.
Data Controllers must comply with a request without undue delay and at the latest within:
– one month of receipt of the request, or;
– within one month of receipt of any information required to clarify the request or to confirm the requester’s identity, or;
– within one month of receipt of written authorisation from the data subject to share their data with the third-party requester
Calculating the Time Frame
The time frame should be calculated from the date of receipt of the request until the corresponding date in the next month
Example
An organisation receives a request on 3 September. The time frame for fulfilment begins on the same day and the organisation has until 3 October to comply with the request.
If the following month is shorter than the month in which the request was received, (and there is no corresponding calendar date), the date for response is the last day of the following month.
Example
An organisation receives a request on 31 January. The time frame for fulfilment begins on the same day and the organisation must fulfil the request by 28 February (29th February in a leap year)
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
Example
An organisation receives a request on 1 April. The time limit starts from the same day. If 1 May falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, if a consistent number of days is required for operational or system purposes it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
What about School Holidays?
The time period for fulfilment of data subject rights requests is set by the legislation and compliance is a legal requirement for all Data Controllers – that is one calendar month from ‘receipt’. For this purpose, though, when is a request deemed to have been received?
Is ‘receipt’ the day the on which the request is physically or electronically delivered to the organisation (as defined in the Freedom of Information Act (FOIA), 2000), or is it the day when the request can reasonably be expected to be opened and read?
During term time it is reasonable to suggest the former definition applies and fulfilment should be in line with the examples cited above, unless the request is complex or numerous in which case an extension of a further 2 months can be applied.
What about requests received just prior to, or during periods of School holidays – in particular the extended Summer closure? Again, no guidance is offered in the regulations or by the regulator.
Referring back to the FOIA (2000), the ICO recognises and acknowledges the difficulties in meeting regulatory obligations during periods of School closure, offering variations to the time frames for maintained Schools, Academies and Nurseries. Although a different framework of law applies, are we then safe to assume that the ICO will take a reasonable and pragmatic approach to any complaints of non-compliance resulting from periods of extended organisational closure?
Many organisations adopt the position that the time frame for fulfilment of a SAR or other data subject rights request made during school holidays will not begin until the first day of the new term. If this is the case then for transparency and stakeholder information it should include a statement to that effect in all Privacy Notices (sometimes called Fair Processing Notices). This action does not override Data Controller obligations, though it may deter all but the most vexatious of Data Subjects from making rights requests when it is clear the School/Academy is unable to fulfil them.
Until clarity on this matter is provided the safest approach will always be to take steps to process and reply to subject access requests and other data subject rights as soon as practicable within the narrowest interpretation of the guidance.
If you would like to know more about The Schools People: DPO Service and what we can offer your organisation please get in touch