The UK Information Commissioner’s Office (“ICO”) released recommendations advising organisations to ensure that the data held regarding individuals is thoroughly and securely searchable so they can meet their obligations under the Data Protection Act 1998 (“DPA”). The ICO also clarified when companies can be classified as data controllers. The recommendations came through three sets of guidance issued by the ICO at the end of March 2012.
The right of access under the DPA places a general obligation on organisations in control of an individual’s personal data (data controllers) to provide that individual with a copy of the data in an “intelligible form” upon receiving a written request. Data controllers have been exempted from the obligation to provide a copy when it is not possible or would involve “disproportionate effort” under section 8(2) of the DPA. The ICO believes that too many organisations have relied too heavily on this exemption and have failed to provide access at all, prompting the ICO to clarify the requirement.
The ICO guidance makes it clear that the section 8(2) qualification applies only in respect of supplying a copy of the relevant information to the individual, and is not a basis for a data controller to refuse to respond to an individual’s access request when locating the information would take considerable effort or expense. The ICO expects organisations to have procedures to allow searches of “live” computer systems in anticipation of subject access requests, including situations where supplying a copy of the information to the individual would require “disproportionate effort,” as an organisation will still be obliged to comply with the request in another way. Even where the effort may be “disproportionate,” good practice dictates that organisations must search for records stored in stand-alone, as well as networked, computers, and take “reasonable steps” to look for personal data stored in archived systems in addition to searching manual records and emails.
Data controllers are expected to have procedures in place for searching records on their “live” computer system, as well as “clear policies” on how the system searches and retrieves archived data. Where electronic data has been deleted, the ICO will not usually require an organisation to reconstitute data that has been disposed of in accordance with retention and deletion policies. Companies should have evidence of proper procedures, as this may assist a data controller in persuading the ICO that it has not deleted data with the intention of preventing disclosure.
In separate guidance related to access requests, the ICO stated that the exemption under section 31 of the DPA (relating to regulatory activities) applies only to regulatory bodies such as Ombudsmen, the FSA and the IPCC.
The third guidance note issued by the ICO addresses the distinction between the classifications of data processors and data controllers under the DPA, although the ICO comments that in many cases, deciding who is a data controller and who is a data processor is not always clear-cut, and there will often be differences of interpretation. The ICO states that when determining whether a party involved in the processing of personal data is a data controller, consideration should be given to the degree of independence that each party has in relation to how and in what manner the data is processed. The guidance explained that broadly speaking, in a “simple data controller/data processor relationship” – where the client gives instructions to another party to carry out processing personal data on its behalf and the service provided is straightforward – the client will be the data controller. The service provider who simply follows instructions and has “little or no flexibility” in providing the service is a data processor. The guidance goes on to detail specific and more complex situations in which determining who plays which part becomes more difficult.