The Information Commissioner’s Office (ICO) has recently announced an update to their guidance on timescales for responding to a subject access request (SAR), as well as other individual rights requests made under the General Data Protection Regulation (GDPR).
The GDPR requires controllers, including schools, to comply with SARs within one month of receipt of the request. This remains the case. What has changed is ICO guidance on when this time limit starts, or to put it another way, the day on which ‘the clock starts ticking’.
The previous ICO guidance stated that the one month period to respond to SARs starts from the day after you receive it. If, for example, a school received a SAR on 5 August, the time limit would have started the day after receipt, i.e. 6 August. This would give the school until 6 September, the corresponding day in the next calendar month, to respond to the SAR.
This timescale has now changed. Following a ruling by the Court of Justice of the European Union, the ICO has stated that the day of receipt of the SAR is ‘day one’, as opposed to the day after receipt.
Applying this to the above example, this would result in the time limit to respond to the SAR starting on 5 August, the day it was received, and the deadline to reply being 5 September, the corresponding day in the next calendar month. This is one day earlier than was previously the case.
The ICO has updated the “Individual Rights” pages on its website to reflect this change:
Schools may wish to have in place a procedure for handling SARs to ensure that they respond to them promptly and within the shorter timescales. For more information or advice, please contact Paul Watkins on 01242 216 173.