The Information Commissioner's Office (ICO) has reissued a code of practice on subject access requests (SARs). The code was originally published last year but has been updated and re-issued. It explains the rights of individuals to access their personal data and sets out what data controllers (including employers) must do to comply with their duties under the Data Protection Act (DPA). Although there is no new law in the code, it is the ICO's interpretation of what the DPA requires organisations to do to comply with SARs. Compliance is not mandatory where the code goes beyond the basic requirements of the DPA but inevitably it will be easier for organisations to show that they have not breached the DPA if they have complied with the code.
SARs are simple and cheap to make and (unlike the rules on disclosure of information in court cases and tribunals) there is no requirement for any justification for a request. Hence they are regarded as a very useful tool for employees in disputes. There has been a good deal of publicity about the new code and this, combined with the abolition of discrimination questionnaires from next month, may lead to heavier reliance on SARs.
Although making a SAR is easy, responding to it can be challenging and involve extensive efforts to find and retrieve the requested information, particularly if it is contained in emails that have been archived and removed from live systems. The code takes a strict line on this, advising that it will never be reasonable to deny access to requested information merely because responding to it may be labour-intensive or inconvenient.
Particular issues for employers are that:
- the right to subject access is very wide - it relates to any personal data
- the SAR does not have to be in any particular format (it simply needs to be made in writing) and the maximum fee you can charge for dealing with it is £10
- you are not obliged to comply with an identical or similar SAR to one you have already dealt with recently but if information has been added or amended since the last request, you must provide a full response to the request – not merely supply the new information
- response to a SAR has to be prompt and in any event within 40 calendar days of receiving it
- there are some exceptions to the right of subject access such as confidential references given (not those received from third parties) but they are very limited
- apart from the specific exemption for personal data protected by legal professional privilege, you must not refuse to respond to a SAR merely because litigation is contemplated or has started
- there are some tricky confidentiality issues where the request involves data about people other than the maker of the SAR.