A few weeks ago, I raised the question of what payment mechanisms a data controller must accept for the payment of the £10 fee for a Subject Access Request. I have had a somewhat protracted discussion with the ICO since – see the addendum to my original post. The Information Commissioner’s Office have finally come up with their fully-formed opinion on this, as below:
We have received some further guidance from our policy team who have clarified the situation with regards to SARs and when a fee should be accepted.
As I have previously stated if an organisation do not have the facilities to accept a fee by a certain method then they would not need to create one, as per my previous example regarding PayPal.
In general there is no legal obligation on a data controller to accept a particular method of payment. A data controller can express a preference as to the payment method it would accept, and the data subject should normally comply with this preference where it is reasonable to do so. As we have advised before though, the data controller may on occasion have to have regard to compliance with disability discrimination requirements.
It is also possible for a data subject to express a preference, but, as a payment is to be made to the data controller, agreement would have to be reached with the data controller that this is an acceptable method of payment. The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.
However, the right of subject access is a basic, fundamental right. This means that it must be sufficiently easy for a data subject to make payment to a data controller in order to exercise that right. Although there may be some cash-only businesses that do not have the facility to process card payments, we believe that the vast majority of organisations do have this facility. Where this is the case, the controller should accept card payments for subject access in order to facilitate the applicant’s request. We would consider it obstructive for the controller to refuse card payments for subject access where it makes and receives card payments for other purposes. The same is true of bank transfers and other payment systems.
My basic tl;dr of the above is that organisations can dictate which mechanism they want applicants to use to pay the SAR fee and the requester can’t override this, though the organisation might have to make a reasonable adjustment for a disabled person and in any case if they have the ability to take payments for other things by alternative mechanisms the ICO would consider them to be obstructive if they don’t accept SAR fees by them. What consequences for the organisation would be had by the ICO thinking them being obstructive isn’t listed, but I suspect naff all, frankly.
The above seems to be at odds with the ICO’s DPA Lines To Take document on SAR fees (.doc file), which says:
If a data subject provides the correct fee in a format which is legally recognised in the UK to denote payment eg cash, cheque or postal order etc. and assuming that they have correctly provided all the other elements of a subject access request eg adequate identification etc, the moment the data controller has received the request (section 7(2)), its obligations under section 7 begin.
A data controller does not have to accept the payment, but the obligation begins nonetheless – acceptance is not a condition of receiving. A data controller is well within its rights to state a preference for a particular format of payment, but it cannot demand it.
To me, that doesn’t fit with what the ICO has just written in the above email to me:
In general there is no legal obligation on a data controller to accept a particular method of payment. … The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.
Clear as mud to me…