Subject Access Requests: ICO Publishes Updated Guidance

The Information Commissioner's Office (ICO) has published an updated data subject access code of practice (the Code) to reflect developments following two major Court of Appeal judgments published in early 2017: Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017] EWCA Civ 121.

The main updates to the Code concern the extent of a data controller's obligation to respond to subject access requests (SARs) made under section 7 of the Data Protection Act 1998 (DPA).

'Disproportionate effort' exception

While previously stating that the disproportionate effort exception should only be relied on in the most exceptional cases, the ICO has relaxed its position slightly, with reference to the clarification provided by the Court of Appeal, in determining that, when assessing whether complying with a SAR would involve disproportionate effort, a company "may take into account difficulties which occur throughout the process of complying with the request, including any difficulties you [the company] encounter in finding the requested information".

However, the ICO expects the data controller to:

evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject; and engage with the applicant and have an open conversation about the information they require. This readiness to engage with the data subject may be considered by the ICO where a complaint is received about the handling of a SAR. Collateral purposes

In some instances, a SAR can appear to be a 'fishing expedition' for information not associated with a genuine privacy concern; however, the Code states that whether the applicant has a 'collateral' purpose for making the SAR (i.e., other than seeking to check or correct their personal data) is not relevant.

Electronic records

Chapter 6 of the Code sets out the ICO's expectations in relation to checking electronic records for the data subject's personal data. In particular:

Data controllers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. If a data controller deletes personal data held in electronic form by removing it (as far as possible) from its computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean that the data controller...