The UK Information Commissioner’s Office (ICO) has issued an updated code of practice (the Code) on subject access requests, less than a year after releasing its original guidance paper on the topic. The Code is designed to help organisations fulfill their duties under the Data Protection Act 1998 (DPA) and contains guidance in relation to recognising and responding to subject access requests.

The “right of subject access” enables individuals to request from organisations information about what personal data is held about them. The information may include source of the personal data, how it is processed and whether it is passed on to any third parties. The DPA also permits individuals to request a copy of the personal data held. Unless an exemption applies, organisations are under a duty to provide this information when requested.

The Code is not legally binding, but it does demonstrate the steps that the ICO considers to be good practice. The ICO also points out that by dealing with subject access requests efficiently an organisation may enhance the level of customer service offered.

The main recommendations of the Code relate to the handling of a subject access request and cover the following issues:

  1. Taking a positive approach to subject access.
  2. Finding and retrieving the relevant information.
  3. Dealing with subject access requests involving other people’s information.
  4. Supplying information to the requester (not just copies); and
  5. Exemptions.

The Code also contains guidance in relation to “special cases” and enforcement action by the ICO.