(LONDON) The UK ICO has come through yet again with some clear guidance as to how to apply the UK’s data protection laws in connection with requests by individuals for access to their personal data. While we are waiting with bated breath for a final version of the new Data Protection Regulation (earlier posts here and here), it’s worth remembering that compliance with the existing regime is still vital – and any guidance from the ICO regarding the current statutory requirements is certainly worth noting.
The Data Protection Act 1998 (Section 7) gives individuals the right to request disclosure of the information that an organization holds about them. (Other EU countries have similar access rights, as required by the current Data Protection Directive.) The latest guidance from the ICO addresses the potentially daunting question of how to respond to such “subject access requests.”
In a nutshell, individuals have the right to know what personal information is held by an organization, the source of the information, whether their personal information is being processed and for what reasons, and whether it will be shared with third parties. Individuals are entitled to receive a copy of their personal information. Individuals can also request information about the reasoning behind any automated decisions (such as assessments of creditworthiness).
Answering subject access requests may involve significant resources, but organizations are allowed to charge no more than £10 (around $15) for responding. As individuals become more aware of their access rights, it is becoming more critical for organizations to hold and process personal data in highly traceable ways that will allow a streamlined, low-cost response to such requests. Organizations should also be aware that subject access requests are likely to crop up if there is a brewing dispute with a consumer.
If you are faced with a subject access request, you can get quick, high-level guidance via the ICO’s online checklist. The checklist provides a useful first cut, but it is likely that most organizations will want more guidance. For that, see the new fifty-eight page Subject Access Code of Practice – and consider contacting a member of your Mintz Levin privacy team to help you respond appropriately within the permitted 40 day response period. A quick and appropriate response is not only a legal requirement – it’s also a good way to avoid negative publicity!