New guidance from the ICO on subject access request timescales

The Information Commissioners Office (ICO) has amended the timeframes required for firms to respond to Subject Access Requests (SAR).

Main findings

The main findings were:

  • The definition of “day one” has been amended.
  • Firms now have one calendar month from the day of receipt to respond.

Previously, SARs had to be responded to within one calendar month, with the day after receipt counting as “day one”.

Following the court judgement “day one” is now the day a firm receives the SAR, for example:

An organisation receives a request on 3 September. The time limit will start on the same day. This gives the organisation until 3 October to comply with the request.

What happens if the month is a short month?

If it is not possible to respond because the following month is shorter (and there is no corresponding calendar date) e.g. February, then the date you will need to respond by is the last day of the following month for example:

An organisation receives a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30 April to comply with the request.

What about if the ‘respond by date’ is on a weekend or bank holiday?

If the date you need to respond by lands on a weekend or a public holiday, you have until the next working day to respond.

Our thoughts?

Many firms will be able to respond to the SAR within this amended timeframe as most aim to respond well within the month limit.

However, as the exact number of days you have to comply with a request varies (depending on the month, weekends and bank holidays in which the request was made) firms may now find it hard to put in place simple SAR request monitoring.

As such we think that firms may benefit from adopting a 28-day response period as this will ensure that you will always be able to respond to a SAR within the required calendar month.

What you should do now…

You should make sure that any SAR processes you have in place are updated to reflect these amended timescales. This includes any internal systems, tracking spreadsheets and training material you may have.