What’s in a Day?
- By Paul Sullivan
By law, an individual is entitled to know what data an organisation holds on them.
A ‘Subject Access Request’ (SAR) must be made in writing but does not need to follow any set form or be addressed to any specific individual.
The Information Commissioner’s Office recently updated its guidance on the time limit for responding to a SAR. Under the Data Protection Act 2018, a data controller must respond ‘without undue delay and in any event within one month of receipt of the request.’ This period may be extended by two months in certain circumstances.
Previously, the guidance on calculating ‘one month’ would have required a SAR received on 2 September 2019 to be responded to by 3 October 2019. This would accord with the domestic approach to statutory interpretation under the Interpretation Act (Northern Ireland) 1954.
In 2004, the Court of Justice of the European Union (CJEU) determined that ‘one month’ should be calculated inclusive of the day the SAR is received.
The ICO’s latest guidance takes account (albeit belatedly) of this CJEU decision and would now require a SAR received on 2 September 2019 to be responded to by 2 October 2019.
As a data controller, you should review and update your policies and procedures to ensure your continued compliance.
For more information about this article, or any other aspect of our Business and Personal Legal Solutions, get in touch. There is no charge for initial telephone advices.