The ICO exists to empower you through information.

Control measure: Processes to verify the validity of requests are in place.

Risk: If the validity of requests is not verified, requestors may impersonate another person or receive someone else’s personal information. This may breach UK GDPR articles 5(1)(f), 12, 15, and 32.

Ways to meet our expectations:

  • Verify the identity of the requestor and the address to send the information to, and keep records of the verification checks.
  • Verify that third parties making requests on behalf of people have written authority or power of attorney to make the request.
  • Ensure staff are aware why verification checks are important.
  • Sample or check that staff carry out verification checks appropriately on completed requests.
  • Document verification checks and how to carry them out  in sufficient detail in policies.

Options to consider:

  • Document clear step-by-step instructions or a process flow chart for verifying the validity of requests.
  • Document clearly how to handle requests from a parent on behalf of their child.
  • Document when it isn’t proportionate to ask for identity documentation or evidence (eg when requests are from staff members or known people).
  • Record what identity documentation or evidence is valid so that staff can refer to it.
  • Include a section on request forms to show people what evidence to provide with their request.

 

Control measure: Detailed records of requests handled are kept.

Risk: Not keeping records of verbal and written requests, or keeping incomplete records, makes it difficult to demonstrate compliance with statutory requirements, and prevents lessons being learned and used to improve performance. This may breach UK GDPR articles 5(2) and 30(1).

Ways to meet our expectations:

  • Keep a log of all verbal and written requests.
  • Log who handled each request.
  • Log what stage each request is at.
  • Log the due date for a response to each request within the statutory timeframe, the actual date you responded to each request, and the reason for any delays, where you didn’t meet the statutory timeframe.
  • Log where information was withheld under exemption or related to third parties, and why this decision was made and by who.
  • Log requests that were refused entirely or handled following a different process, and why this decision was made and by who.

Options to consider:

  • Use a spreadsheet or database to automatically calculate key dates.
  • Mark log fields as ‘mandatory’ to ensure information is captured and there are no gaps.
  • Include the log in your retention schedule to ensure you only retain the information for as long as necessary.

 

Control measure: Processes to acknowledge and manage requests correctly are in place.

Risk: If requests are not acknowledged or progressed within a reasonable time, people may be dissatisfied and complain to the ICO, causing reputational damage to the organisation.

Ways to meet our expectations:

  • Acknowledge each request by confirming receipt electronically or in writing and inform the requestor of the latest date they will receive a response by. This will be no later than one month from the date you received their request.
  • Seek clarification promptly when the nature of the request is unclear or the request doesn’t contain enough information to respond.
  • Inform the requestor if you need to extend the response timeframe for their request. Only extend it by a further two months due to the volume or complexity of the request.
  • Inform the requestor if their request is delayed, why it is delayed, and the expected date they will receive a response by.
  • Prioritise or escalate requests that are delayed.
  • Ensure managers monitor requests in progress, including what stage each request is at and any issues or delays, to meet timescales.
  • Escalate details of requests that staff have not responded to within the statutory timeframe to a suitably senior manager or oversight group.

Options to consider:

  • Produce clear template text to use in letters or emails for each access request.
  • Include template text as appendices in your request for access policy, so staff can find it quickly and update it when you review the policy.

 

Control measure: Requests for access are responded to within the statutory timeframe.

Risk: If requests are not responded to within the statutory timeframe, people may be dissatisfied or complain, causing reputational damage. This may breach UK GDPR article 15.

Ways to meet our expectations:

  • Keep records to show that you have responded to requests for access and actioned them within the statutory timeframe.
  • Keep records of mitigating factors and actions taken for any requests for access that you didn’t respond to or action within the statutory timeframe.

Options to consider:

  • Use a spreadsheet or database to automatically calculate key dates.
  • Plan to respond to non-complex requests in a shorter period (eg two weeks) so you have extra time if there are delays or issues.