Employers should review their policies and procedures on handling subject access requests following new guidance from the Information Commissioner’s Office.
What Does the Guidance Say?
Employers must comply with a request without undue delay and at the latest within one month of receipt of the request. When calculating the one-month period for response, the ICO has confirmed that you should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a subject access request received on 3 September should be responded to by 3 October.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a request may vary, depending on the month in which the request was made.
An example given by the ICO to illustrate this is where an organisation receives a request on 31 March. The time limit will run from 31 March, however as there is no equivalent date in April, the organisation has until 30 April to comply with the request. If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
Can You Extend the Time for a Response?
It is possible to extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary. You do not need the individual’s consent to extend the time limit.
Do you need support with updating your policies and procedures? Please contact Kathy Halliday in our Employment Law team, on 0121 227 3711.