The Information Commissioner’s Office (ICO) has introduced updated guidance on Data Subject Access Requests (DSARs). This guidance aligns with changes from the Data (Use and Access) Act 2025 (DUA Act) and recent court rulings. It aims to clarify DSAR management for organizations as the DUA Act approaches its latest commencement regulations.
Key Updates in ICO Guidance on DSARs
- Stopping the Clock for Clarifications: Controllers can pause the one-month response timeline for DSARs if they need clarification to provide an effective response. The previous requirement related to the volume of information has been removed.
- Notification of Complaint Rights: When denying a request, controllers must inform the requester of their right to complain to the controller, in addition to notifying them of their rights with the ICO.
- Volume Considerations: The volume of requested information will now aid in determining if a request is unreasonable or disproportionate. Controllers should consider data volume along with the request’s context and inherent access rights.
Further Notable Changes
- Treatment of Repeated Requests: Requests for data in different formats may be deemed excessive if the requester has already accessed their information in a common electronic format.
- Disclosure of Specific Recipients: Controllers must name specific recipients if required unless it is impossible or if the request is deemed manifestly unfounded.
- Exemptions on Supplementary Information: Exemptions can now also apply to supplementary information associated with the DSAR response, as confirmed by recent case law.
Implications for Organizations
The updated ICO guidance presents a balance between new operational flexibilities and enhanced transparency requirements. Organizations may need to rethink their processes to remain compliant, including mapping data disclosures and revising transparency frameworks. This proactive approach will ensure that DSAR management becomes more predictable and defensible in the long run.
If you are an organization dealing with DSARs, it is crucial to understand these updates. Adapting to these changes will help enhance transparency and meet the evolving standards of data protection in the UK.
