ICO Publishes Revised Subject Access Code Of Practice Incorporating Court Of Appeal Guidance – Dealing With Requests From Individuals For Personal Information

In the wake of two key judgments from the Court of Appeal, the Information Commissioner's Office has updated its Subject Access Code of Practice - Dealing with requests from individuals for personal information. The revisions, published on 20 June 2017, are designed to promote a spirit of co-operation and openness in terms of a readiness to engage with applicants, a willingness to negotiate in respect of repeated SARs and a readiness to take balanced steps when faced with compliance with a SAR rather than a mere assertion of disproportionate burden. The revised Code also requires data controllers to have in place procedures to find archived, backed up and deleted material, to set aside the applicant's purposes when handling a request. Finally, where an organisation has failed to comply with the subject access provisions, the ICO indicates that it will consider carefully whether there has been damage or distress before serving an enforcement notice.

Background

The ICO published the original version of its Subject Access Code in 2013 in order to help organisations provide subject access in accordance with the Data Protection Act 1998 and good practice. It aimed to do this by explaining how to recognise an SAR and by offering practical advice about how to deal with, and respond to, an SAR. The Code provided guidance on the limited circumstances in which personal data is exempt from subject access and explained how the right of subject access can be enforced when things go wrong.

The Code has now been updated and takes into account the guidance of the Court of Appeal in Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens [2017]...