Timeframe
The recipient of a data request must respond without undue delay and, in any event, within one month. This starts on the day the organisation receives the request (even if this is a weekend or bank holiday) and ends on the corresponding date of the next month.
If the corresponding calendar date does not exist because the following month has fewer days, the end date is the last day of the month. If the end date falls on a weekend or bank holiday, the calendar month ends on the next working day.
If a number of requests have been made, or the request is complex, organisations may require extra time. Where this is the case, they can generally take up to an extra two months to respond. Organisations should inform the person making the request within one month of receiving the request if they need more time and explain why.
See the ICO guidance on time limits for more information.
Format
The recipient of the request is required to provide the information requested in an 'intelligible form' - which essentially means in a form that most people would be able to understand using clean, plain language.
Proof of ID
Organisations may require proof of ID to carry out identity verification for security reasons. Such checks will often form part of an organisation’s measures to protect personal data from unauthorised access.
If the recipient of the request has doubts about the identity of the person making the request they can ask for more information. However, it is important that they only request information that is necessary to confirm who the individual is. The key to this is proportionality.
Where more information is needed to confirm the individual’s identity before their request can be responded to, they should be informed of this as soon as possible. If proof of identity is requested, the one-month time limit doesn’t start until the proof of ID has been received by the organisation.
For more information, see the ICO guidance on responding to data protection requests.
Fees
In most situations, organisations should comply with data protection requests free of charge. However, an organisation may be able to charge a fee:
-
to cover their administrative costs, if the organisation finds the request to be ‘manifestly unfounded or excessive’ (eg the request was made to harass or disrupt the organisation or the person doesn’t have a genuine intention of accessing their information)
-
if the individual asks for additional copies of the information after a request
If an organisation can charge a fee, the one-month time limit doesn’t start until the fee has been paid by you and received by the organisation.
Read the ICO guidance on responding to data protection requests for more information.