If you would like a copy to save on your own device click here: ICO Guidance
GUIDANCE NOTES FROM THE INFORMATION COMMISSIONERS OFFICE (ICO)
Reference: https://ico.org.uk/ Right of Access
Can we charge a fee?
In most cases you cannot charge a fee to comply with a subject access request. However, you can charge a “reasonable fee” for the administrative costs of complying with the request if:
- It is manifestly unfounded or excessive; or
- An individual requests further copies of their data following a request.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request but please ensure you have good grounds to do so.
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
- The individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- The request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- The individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- The request makes unsubstantiated accusations against you or specific employees;
- The individual is targeting a particular employee against whom they have some personal grudge; or
- The individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded. Example:
- An individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.
- The individual continues to make requests along with unsubstantiated claims against you as the controller.
- You refuse the most recent request because it is manifestly unfounded and you notify the individual of this.
Further Guidance notes from the Information Commissioners Office (ICO)
Reference: https://ico.org.uk/ Right of access
What about requests for information about children?
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should usually respond directly to the child. You may, however, allow the parent to exercise the child’s rights on their behalf if the child gives authorisation to do so this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, you should take into account, among other things:
- The child’s level of maturity and their ability to make decisions like this;
- The nature of the personal data;
- Any court orders relating to parental access or responsibility that may apply;
- Any duty of confidence owed to the child or young person;
- Any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- Any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- Any views the child or young person has on whether their parents should have access to information about them.
In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. This presumption does not apply in England and Wales or in Northern Ireland, where competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases.
For further information on situations where the request has been made by a child, see our ‘guidance on children and the GDPR’.
Requests made on behalf of others
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
A building society has an elderly customer who visits a particular branch to make weekly withdrawals from one of her accounts. Over the past few years, she has always been accompanied by her daughter who is also a customer of the branch. The daughter makes a subject access request on behalf of her mother and explains that her mother does not feel up to making the request herself as she does not understand the ins and outs of data protection. As the information held by the building society is mostly financial, it is rightly cautious about giving customer information to a third party. If the daughter had a general power of attorney, the society would be happy to comply. They ask the daughter whether she has such a power, but she does not.
Bearing in mind that the branch staff know the daughter and have some knowledge of the relationship she has with her mother, they might consider complying with the request by making a voluntary disclosure. However, the building society is not obliged to do so, and it would not be unreasonable to require more formal authority.
If you think an individual may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
There are cases where an individual does not have the mental capacity to manage their own affairs. Although there are no specific provisions in the GDPR, the Mental Capacity Act 2005 or in the Adults with Incapacity (Scotland) Act 2000 enabling a third party to
exercise subject access rights on behalf of such an individual, it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority. The same applies to a person appointed to make decisions about such matters:
- In England and Wales, by the Court of Protection;
• In Scotland, by the Sheriff Court; and
• In Northern Ireland, by the High Court (Office of Care and Protection).