Following a public consultation in December 2012 on a draft version, the Information Commissioner’s Office (ICO) published its final Subject Access Code of Practice on 8 August 2013.
Like all other data protection laws in the EU, the Data Protection Act 1998 (DPA) includes the principle that anyone has the right to find out what information an organisation holds about them by making a ‘subject access request’ (SAR). But when faced with such a request, organisations often feel confused, daunted or even frustrated as to how to properly handle and respond to a SAR. How do we carry out a full search for all their personal data? How do we ensure that the privacy of others isn’t infringed when responding? There are on-going legal proceedings – don’t the discovery rules provide a more appropriate method of providing information?
So, the ICO’s code of practice aims to assist organisations in the public, private and non-profit sector handle SARs and provides practical guidance on the subject – from how to recognise a SAR to how to actually deal with and respond to such requests. The code explains the circumstances in which organisations can refuse to provide all or some of the information requested, as per the ‘exemptions’ from the duty to comply with a SAR set out in Schedule 7 of the DPA.
The code also includes ten simple steps to consider when responding to SARs:
- Identify whether a request should be considered as a SAR
- Make sure you have enough information to be sure of the requester’s identity
- If you need more information from the requester to find out what they want, then ask at an early stage
- If you’re charging a fee, ask for it promptly
- Check whether you have the information the requester wants
- Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
- But do consider whether the records contain information about other people
- Consider whether any of the exemptions apply
- If the information includes complex terms or codes, then make sure you explain them
- Provide the response in a permanent form, where appropriate
The ICO’s code does not have the force of law and they cannot take enforcement action where organisations fail to adopt good practice or to take on the code’s recommendations – unless, of course, this itself breaches the DPA.
But beware organisations with websites: the ICO plans to carry out what they call a ‘subject access request sweep’ of websites later in the year with the aim of publishing a report on their findings in early 2014. They’ll be looking at the information that organisations provide to anyone who may want to make a SAR. So it may be a worthwhile exercise to double check that the SAR information set out in your website privacy policy (or elsewhere) is adequate.