Responding to Subject Access Requests
By law, an individual is entitled to know what data an organisation holds on them.
A ‘Subject Access Request’ (SAR) must be made in writing but does not need to follow any set form or be addressed to any specific individual.
The Information Commissioner’s Office recently updated its guidance on the time limit for responding to a SAR. Under the GDPR, a data controller must respond ‘without undue delay and in any event within one month of receipt of the request.’ This period may be extended by two months in certain circumstances.
Previously, the guidance on calculating ‘one month’ would have required a SAR received on 2nd September 2019 to be responded to by 3rd October 2019. This approach would accord with the domestic approach to statutory interpretation under the Interpretation Act (Northern Ireland) 1954.
In 2004, the Court of Justice of the European Union (CJEU) determined that ‘one month’ should be calculated inclusive of the day the SAR is received.
The ICO’s latest guidance takes account (albeit belatedly) of that CJEU decision and would now require a SAR received on 2nd September 2019 to be responded to by 2nd October 2019.
As a data controller, you should review and update your policies and procedures to ensure your continued compliance.