The ICO has reviewed its guidelines on Subject Access Requests. While not legally binding, the guidance sets out steps for organisations to take to comply with the UK data protection legislation.
What has happened?
Following significant Court of Appeal decisions relating to the obligation of data controllers to respond to Subject Access Requests, the Information Commissioner's Office (ICO) has updated its Subject Access Code of Practice to reflect these recent developments.
Recap: The Data Protection Act 1998 provides an individual whose data is being processed (a “data subject”) with a right to access the data that an organisation holds about them.
What further guidance has been provided?
Key updates to the Code include:
Disproportionate effort exemption
Data controllers can use the disproportionate effort exemption to deny data subjects access to their personal data when the work or expense in providing a copy of the information would be disproportionate to the individual's rights of access. The ICO clarified that the assessment can take into account the efforts in searching for and finding the information as well as supplying it.
The burden of proof lies with the data controller to show that they have taken all reasonable steps to comply with the request, and that it would be disproportionate in all the circumstances to take further steps.
However, controllers should still be aware that there is a high expectation placed on them to respond to a Subject Access Request. The Code states that controllers “should be prepared to make extensive efforts to find and retrieve the requested information" and this ties in to the point below about having well-organised information management systems.
Collateral purposes/motive behind the Subject Access Request
Subject Access Requests can often be a disguise for “fishing expeditions” to obtain information not primarily concerned with privacy, but in the context of grievances or early litigation. The ICO’s guidance states that whether or not a requester has “collateral purposes” for making the Subject Access Request is not relevant.
The Code dismisses suggestions that case law provides authority for organisations to refuse to comply with a Subject Access Request where the requester is contemplating or has already began legal proceedings.
The Code advises that data controllers should have well-organised and maintained information management systems that allow the data controller to locate and extract relevant data relating to the data subject, as well as the ability to redact third-party data.
The systems should also be able to include any electronically archived or backed-up data from the searches. However, the balance of interests between the expense in finding the information and the data subjects rights must always be considered when examining what a proportionate response includes.
What you need to do
To ensure that your organisation can efficiently comply with Subject Access Requests you should:
- engage with the person making the request: the data controller’s readiness to assist will be considered if there is a complaint
- be aware that from 25 May 2018 (the date that the GDPR comes into force) the time limit for responding to a Subject Access Request will decrease from 40 days to 30 days
- ensure that your information management systems are fit for purpose
- consider whether your company policy relating to “bring your own device” is up-to-date to restrict the circumstances in which staff can hold information on their own device. This is because UK data protection laws might compel staff to search the devices for information to comply with Subject Access Requests
- always balance the difficulties of searching, finding and providing the information requested with the benefits that the information might bring to the data subject.