Last week, the Information Commissioner's Office ("ICO") released a new code of practice to assist organisations faced with requests from individuals seeking to obtain their personal information.
As well as conferring rights on individuals, the Data Protection Act 1998 also places obligations on organisations when handling subject access requests. Organisations tasked with responding to subject access requests should align their processes with the recent ICO guidance and consider the following points in particular:
- Ascertain if the request for information is a subject access request i.e. is it in writing (this does not necessarily mean letter form and includes email and may even include requests made via social media) and in pursuit of the individual's personal data – personal data is that which can enable an individual to be identified e.g. bank account details, employment particulars etc.
- Confirm the requester's identity. Depending on its relationship with the requester, the organisation should, acting reasonably, assess whether verification (and to what extent) is necessary.
- Clarify any confusion as to the data sought at the outset.
- If a fee is being charged for dealing with the request, then the organisation should be clear on this in the early stages. The provision of information can be refused until any fee has been settled. Remember, however, that in most cases the maximum fee which can be recovered is only £10.
- Given the 40 day time limit for responding to subject access requests, measures should be in place to facilitate the efficient sourcing and retrieval of data. Even where certain information is difficult to access, this is not grounds to exclude it from a response.
- Address whether the information requested contains information relating to other individuals. Unless it is reasonable or the other individual consents, there is no requirement to comply with those aspects of a request which would simultaneously give rise to the unavoidable disclosure of a third party's personal data.
- Make sure that the information supplied is in an intelligible and, where appropriate, permanent form. In many cases this will mean giving a copy of the document containing the personal data and explaining complex or business terms / codes.
- Consider whether any exemptions apply and, if relevant, weigh up whether they should be used.