ICO publishes new guidance on data subject access requests

The Information Commissioner’s Office (ICO) has published updated guidance on data subject access requests (DSARs), reflecting both changes brought in by the Data (Use and Access) Act 2025 (DUA Act) and recent case law developments. Timed to coincide with the DUA Act’s latest set of commencement regulations expected later this month (and which should include the changes relating to DSARs), the new guidance clarifies several practical aspects of DSAR management for organisations.

Key DUA Act changes reflected in the ICO guidance 

• Controllers can ‘stop the clock’ where clarification is reasonably required. The guidance confirms that controllers may pause the one‑month response deadline where clarification is reasonably required to provide an effective response. Crucially, the previous condition that the controller must process a “large amount of information” about the requester has been removed. This should aid organisations in their DSAR management: the ability to pause now depends on whether clarification is genuinely needed to respond effectively, not necessarily on the sheer volume of data held (although volume is still a relevant consideration in other areas, as we discuss below).
• Data subjects must be notified of their right to make a complaint to the controller. If refusing a request, controllers must inform the requester of their right to complain to the controller, in addition to their right to complain to the ICO and to seek judicial remedies. This change reflects the DUA Act’s new right for data subjects to complain to the controller if they consider that the controller is not complying with UK data protection rules.
• Volume is a relevant factor when determining if a request is unreasonable or disproportionate. When evaluating whether searches would be unreasonable or disproportionate, controllers should now consider the volume of information that may need to be searched, alongside the circumstances of the request, search difficulties, and the fundamental nature of the right of access. This addition should assist in defending proportionate search strategies, especially where legacy systems or sprawling datasets are involved.

Other changes reflected in the ICO guidance

• Repeated demands for information in different formats may be treated as manifestly unfounded or excessive. The guidance re-iterates that if a requester can download their personal information in a commonly used electronic format, and does not object to doing so, this will satisfy the requirement to provide a copy. However, controllers should make it clear that requesters have the right to ask for their information to be provided in a different format, and reasonable requests should be met where possible. The ICO does acknowledge though that where a person repeatedly requests further copies in different formats after downloading from a portal, the request may be treated as manifestly unfounded or excessive (meaning the controller may refuse or charge a fee).
• Controllers must disclose specific recipients in supplementary information. Providing only ‘categories of recipients’ to whom personal data has been or will be disclosed is permitted only where naming specific recipients would be impossible or the request is manifestly unfounded or excessive. This development tracks recent case law (including Harrison v Cameron and ACL which clarified that organisations will need a defensible rationale where categories are used instead).
• Exemptions can apply to supplementary information. The updated guidance clarifies that exemptions may apply not only to the personal data disclosed but also to the supplementary information that accompanies a DSAR response. This follows Harrison v Cameron, where the court recognised that the “rights of others” exemption could justify withholding identities of specific recipients notwithstanding the general entitlement to know them. 

Overall, the updated guidance balances new operational flexibilities against stricter transparency requirements. On the one hand, clarifications aligned with the DUA Act should improve the day-to-day management of DSARs. On the other hand, the case law-driven requirement to disclose specific recipients by default raises the bar for transparency and record-keeping. Organisations may need to invest in adapting their processes, for example by mapping data disclosures accurately and updating transparency and exemption frameworks, but doing so is likely to make DSAR handling more predictable and defensible in the longer term.

Many thanks to Sarah Woodburn for her assistance in preparing this post.