The ICO exists to empower you through information.

In detail

How long do we have to comply?

You must comply with a Part 3 SAR without undue delay and at the latest within one month of receipt of the request or within one month of receipt of:

  • any information requested to confirm the requester’s identity; or
  • a fee (only in certain circumstances).

You should calculate the time limit from the first hour of the first day after you receive the request, fee or other requested information (whether it is a working day or not) until the last hour of the corresponding calendar date in the next month.

Example

If you receive a request on 30 June the time limit will start at 00:00 on 1 July and the deadline will be 23:59 on 1 August.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last hour of the last day of the following month.

Example

If you receive a request on 30 May the time limit will start at 00:00 on 31 May but the deadline will be 23:59 on 30 April.

If the corresponding date falls on a weekend or public holiday, you have until the last hour of the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the month in which someone makes the request.

For practical purposes, if you require a consistent number of days (eg for operational or system purposes), you could adopt a 28-day period. This ensures that you always comply within a calendar month.

As the time limits are different in the UK GDPR, you could apply the shorter time limit (under the UK GDPR) to all SARs you receive. See How long do we have to comply? for UK GDPR details.

Can we extend the time for a response?

Unlike the UK GDPR, Part 3 does not allow you to extend the period for responding to either complex requests or a number of requests from the same person.

Section 54(2) allows for the Secretary of State to specify a longer time period for responding to SARs by way of regulations. However, at present there are no regulations in place. Therefore, you must respond to Part 3 SARs within one month.

If both the UK GDPR and Part 3 information is covered by the SAR, can we deem the request complex and extend the deadline?

No. You may only consider a mixed SAR to be complex for the information you process under the UK GDPR.

Therefore, you must provide the Part 3 information within the one month deadline, even if you have extended the time limit for responding to information processed under the UK GDPR.

However, if you wish to provide all the information at the same time, you must ensure that you comply with the request under the normal time limits for responding to a Part 3 SAR.

How long do we have to deal with requests for information processed for different purposes?

There may be circumstances when you need to consider requests for information processed under both the UK GDPR and Part 3. You may be using some of the information for a law enforcement purpose (eg a criminal investigation), and some of it for general purposes (eg human resources reasons).

As the time limits differ between the UK GDPR and Part 3 (and there are no provisions in Part 3 to extend the time to respond), sometimes you may need to provide separate responses.

However, you are not required to provide the information separately, as long as you clearly explain whether you are disclosing the information under the UK GDPR or Part 3 (although this may not always be possible if you need to restrict the person’s right of access to this information). Where possible, you should provide all the information at the same time, and within the shorter time limit. This ensures that you comply with the statutory time limits for both the UK GDPR and Part 3.

Example

A local authority receives a SAR for “all the information you hold about me”. It needs to provide the information it holds about the person under both the UK GDPR and Part 3 SARs regimes.

The authority has deemed the UK GDPR information to be complex, as it processes a large quantity of information about the person, and it is unclear from the request what the person is actually looking for. Therefore, it extends the time limit for responding to this element of the request by two months. However, the authority is aware it must provide the Part 3 information within one month.

The authority holds a number of documents which contain personal information that it processes about the person under both the UK GDPR and Part 3. The authority considers that it would be impractical and costly to extract the UK GDPR and Part 3 information from the documents. The authority decides it would be much more efficient to provide the person with copies of the documents.

However, although they have extended the deadline for responding to the request for the UK GDPR information, the authority must ensure it provides copies of all the personal information contained in the documents within the Part 3 timeframe.

Can we clarify the request in Part 3?

Yes. You could ask someone to provide additional details about the information they want to receive, such as the context in which you may have processed it, and the likely dates when processing occurred. For example, if you hold a lot of information about the person, and their request is vague, you may want to ask them to clarify what information they are requesting.

However, you cannot require someone to narrow the scope of their request, as they are entitled to ask for all the information you hold about them. If someone refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the requested information. See our UK GDPR guidance on the right of access – ‘What efforts should we make to find information?’ for details about the extent to which you must search for information.

However, unlike under the UK GDPR, the time limit is not paused while you wait for a response. So you should ask for clarification as soon as possible.

Can we stop the clock and ask for clarification?

If you process information under both the UK GDPR and Part 3, you can only pause the time limit while you ask for clarification about the UK GDPR information.

As the clock does not stop for the Part 3 information, you must provide it, or if relevant, make the person aware that you have restricted access to it, within the one month time limit.

Example

An employee of the Land Registry makes a SAR “for all the information you hold about me concerning disputes or investigations”.

The Land Registry processes a large volume of information about the person, as they were involved in a number of disputes and investigations, some of which are still ongoing. They were involved in a property dispute with their next-door neighbour several years ago. There was a grievance between them and other employees, and the person made a complaint to the Land Registry about its handling of a freedom of information request. They are currently buying a house and the Land Registry is investigating allegations of fraudulent activity on the part of the vendor. The fraud investigation is being dealt with under Part 3 and the file contains personal information about the person. It also contains various complaints from the person about the handling of the case.

It believes it is genuinely necessary to seek clarification as it’s not clear what information the person wants, and the Land Registry processes a large volume of information. It decides to stop the clock under the UK GDPR to ask the person to specify what information they are looking for.

The clock does not stop for the Part 3 information, so the Land Registry must respond within the time limit. However, since there is a mix of information on the fraud file, including various complaints from the person, it decides that the Part 3 information is not separately searchable from the UK GDPR information. The Land Registry provides the information about the fraud matter within the usual Part 3 timescale for responding.

Can we charge a fee under Part 3?

In most cases, you must not charge a fee to comply with a SAR. You must provide the information free of charge.

However, if a request is manifestly unfounded or excessive, you could charge a reasonable fee for the administrative costs of complying with it, rather than refusing to comply with it. You could also charge a reasonable administrative fee for providing further copies of your SAR response. See our guidance on Part 3 manifestly unfounded and excessive requests.

Section 53(4) of the DPA 2018 allows for the Secretary of State to specify limits on the fees that organisations may charge to deal with a manifestly unfounded or excessive request. However, at present there are no regulations in place. It is therefore your responsibility, as a controller, to ensure that you charge a reasonable rate.