ICO Publishes Revised Subject Access Code Of Practice Incorporating Court Of Appeal Guidance Dealing With Requests From Individuals For Personal Information
In the wake of two key judgments from the Court of Appeal, the Information Commissioner's Office has updated its Subject Access Code of Practice - Dealing with requests from individuals for personal information. The revisions, published on 20 June 2017, are designed to promote a spirit of co-operation and openness in terms of a readiness to engage with applicants, a willingness to negotiate in respect of repeated SARs and a readiness to take balanced steps when faced with compliance with a SAR rather than a mere assertion of disproportionate burden. The revised Code also requires data controllers to have in place procedures to find archived, backed up and deleted material, to set aside the applicant's purposes when handling a request. Finally, where an organisation has failed to comply with the subject access provisions, the ICO indicates that it will consider carefully whether there has been damage or distress before serving an enforcement notice.
Background
The ICO published the original version of its Subject Access Code in 2013 in order to help organisations provide subject access in accordance with the Data Protection Act 1998 and good practice. It aimed to do this by explaining how to recognise an SAR and by offering practical advice about how to deal with, and respond to, an SAR. The Code provided guidance on the limited circumstances in which personal data is exempt from subject access and explained how the right of subject access can be enforced when things go wrong.
The Code has now been updated and takes into account the guidance of the Court of Appeal in Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121.
Proper evaluation
One piece of good news for business is that the revised Code recognises that the burden on data controllers to comply with SARs is limited to taking reasonable and proportionate steps. Good practice in this area nevertheless relies on comprehensive evaluation of the particular circumstances of each request - businesses cannot merely assert that the burden of compliance is disproportionate.
In the ICO's own words:
"When responding to SARs, we expect you to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access."
The revised Code explains that, in...
To continue reading
Request your trial