What’s the issue?
Subject Access Requests (SARs) are a vital tool in the privacy arsenal for individuals. Using a SAR, the data subject may request the personal data held about them from data controllers. Lately, SARs have increasingly been used as an adjunct to discovery in legal proceeding, including employment disputes and, at times, the courts have taken a differing approach to the ICO as to the validity of SARs made for collateral purposes. There have also been differences in approach as to when data controllers can justifiably refuse to comply with a SAR on the grounds that to do so would require disproportionate effort.
What’s the development?
The ICO has published an updated code of practice on subject access requests. The most significant changes have been made largely in response to recent case law and focus on the disproportionate effort exemption and SARs made for collateral purposes.
The section of the code on ‘Finding and retrieving the relevant information’ now notes that the Data Protection Act places a “high expectation” on providing information in response to a SAR. In relation to information contained in emails, the code now notes that the disproportionate effort exemption cannot be justification for a blanket refusal to respond to a SAR because the question to be considered is what is proportionate in the circumstances.
When assessing what constitutes disproportionate effort, the code now reflects recent case law and states that:
- data controllers may take into account difficulties which occur through the process of complying with a SAR including difficulties finding the information requested;
- data controllers are expected to evaluate the circumstances of each request, balancing any difficulties in complying against the benefits to the data subject if they receive the requested information. This should be overlaid by a consideration of the fundamental nature of data subject rights.
- the burden of proof is on the data controller to show that it has taken all reasonable steps to comply with the SAR and that further steps would have been disproportionate;
- it is good practice to engage with the requester about the information they require as this may help avoid unnecessary costs and effort;
- the ICO may take the data controller’s willingness to engage with the requester into account in the event that it receives a complaint about the data controller’s response to the SAR;
- even if the data controller can show compliance with a SAR would involve disproportionate effort, it must still comply with the SAR in another way if the data subject agrees.
In terms of collateral purposes, the ICO advises that any collateral purposes for making a SAR are not relevant to the data controller.
The courts have a wide discretion when deciding whether or not to order compliance with a SAR under s7(9) DPA and the code lists factors which may be taken into consideration.
Data controllers are encouraged to have systems which facilitate locating, extracting and redacting personal data in response to SARs.
What does this mean for you?
The updated guidance adds some clarity to some of the more contentious issues around SARs, particularly in light of the incoming General Data Protection Regulation. For more on SARs and how to comply with them, see our article and checklist on our Global Data Hub.