ICO updated guidance on DSARs

Introduction

In September last year, when I presented a webinar to members of the Chartered Insurance Institute on changes introduced by the Data Use and Access Act 2025 (‘DUAA), only some of its provisions had come into force and most were due to be implemented in the twelve months beginning June 2025. In December, the ICO gave updated guidance on data subject access requests which covers amendments made by the DUAA, one of which is already in force and the other is waiting in the wings. The “stop the clock” provision in section 76 is not yet in force. The section 78 requirement that any search in response to a data subject access request (‘DSAR’) need only be “reasonable and proportionate” is.  

Stop the clock

 The Act gives controllers more room to manoeuvre on time limits.

Under Article 12 UK GDPR, requests from individuals to exercise any of their rights must be actioned “without undue delay” and ordinarily within one month of receipt of the request.

In the case of “complex” or multiple requests, the controller may extend the time by up to two further months. The individual should be informed, within one month of receipt of the request, of the extension and the reason why the extension is necessary. The ICO notes that a request is not complex simply because clarification is required (see below).

Section 76 of the DUAA amends Article 12 and inserts a new Article 12A.   Controllers may request “reasonable” clarification to help them identify the personal information or the processing activity the DSAR relates to. The period beginning with the day the controller makes the request and ending with the day the controller receives the information does not count towards the one-month time limit.

What does “reasonable” mean? The ICO guidance confirms controllers should not ask for clarification on a blanket basis, but only for clarification that is “reasonably” required. The legislation does not define reasonable but it is likely to include circumstances where it is not possible to provide an effective response because the request is vague or the controller holds a lot of information about the person. However, the ICO qualifies this by making clear that “reasonable” does not cover the situation where a controller holds a lot of information about a person but it can retrieve it and provide it quickly and easily. Smaller organisations are likely to be in a stronger position to make requests for clarification than larger ones.

When asking for clarification it is important to record the reasons why clarification is needed so that the controller can later justify its position, and to make the request as soon as possible after receiving the DSAR. The requester should receive advice and assistance on what clarification would be helpful. It may focus minds to provide them with a deadline of one month or some other reasonable period for providing the clarification.

It is important to remember that a controller cannot force a person to refine the scope of their request. The ICO reminds us that they are entitled to ask for all their information. Where a requester ignores a request for clarification or refuses to provide it a controller need do no more than carry out a “reasonable and proportionate” search and share the information they can find.

"Reasonable and proportionate" search

There is a new limitation on data subjects’ right to access their information which has been in force since 19 June 2025. 

Article 15 UK GDPR at paragraph 1 provides:-

The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information….

Section 78 DUAA inserts the following paragraph 1A into Article 15:-

Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data ….

Data subjects are entitled only to information that can be obtained from a “reasonable and proportionate” search.

What is a reasonable and proportionate search? The Act does not define what it means and the ICO is clear that a controller must be able to show why a search was not reasonable or proportionate.

The guidance confirms the controller should consider:

·      the circumstances of the request

·      the volume of information that needs to be searched

·      any difficulties involved in finding the information

·      the fundamental nature of the right of access

The ICO advises a controller is not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. This may point to a balancing exercise whereby the more important the information requested is the greater the efforts to find and retrieve the information should be.

The extent of the search and the reasons for it should be documented so that the controller can later justify its position to the ICO.

Right to complain

There is a third significant amendment to the DSAR regime. When responding to a request the guidance confirms the requester shoudl be informed not only of its right to complain to the ICO but also of its new right to complain to the controller under section 103 DUAA.

This section is unlikely to come into force until June 2026. The ICO has conducted a formal consultation on complaints and the outcome is due shortly.  It will be the subject of a separate blog.

Mariel Irvine

27 January 2026