The Information Commissioner’s Office has amended its GDPR guidance in relation to the timescale for complying with Data Subject Access Requests, when you request clarification from the data subject. The old guidance suggested that you could wait until you had the clarification from the employee to start the clock ticking. The new guidance makes it clear that you may ask the data subject to specify the information or processing activities their subject access request relates to before responding to it, but this does not affect the timescale for responding – you must still respond to their request within one month.
Of course you may be able to extend the time limit by two months, if the request is complex or the individual has made a number of requests already. The last sentence is slightly misleading in that it simplifies the circumstances in which you can legitimately extend time. Wider reading on the ICO site suggests that the circumstances in which an employer is going to be able to rely on the extension is actually narrow – think exceptional circumstances, rather than the norm.
The change means that if you are waiting for somebody to get back to you, you still need to be starting your search in order to not run out of time.
The ICO is currently conducting a survey in relation to processing criminal convictions data, so it is likely that we will have more guidance in that area in due course.
February 2020