The Information Commissioner’s Office (ICO) has updated its subject access code of practice to reflect developments in two recent Court of Appeal decisions on data controllers’ obligations to respond to Data Subject Access Requests. You can read one of our earlier Insight articles on Dawson-Damer & Others v Taylor Wessing LLP and Ittihadieh v 5-11 Cheyne Gardens here.
Data Subject Access Requests (DSARs) are increasingly being used as a tool by employees in litigation and disputes with employers. Given the large amounts of employee personal data held by employers, DSARs can often become a costly and onerous exercise.
Employers complying with DSARs should find the updated guidance useful as it clarifies what the ICO and the courts will be expecting from those dealing with such requests. Although the ICO still requires employers to undertake extensive efforts to comply with a DSAR if necessary, the revised guidance takes a more data controller-friendly stance and in particular gives new guidance on the ‘disproportionate effect’ exception in the Data Protection Act 1998.
Some key changes to the previous guidance include:
Disproportionate effort exception
- Data controllers cannot use the disproportionate effort exception to justify a blanket refusal to comply with a DSAR. However there is scope “for assessing whether, in the circumstances of a particular case, supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the [data subject’s] right of access to their personal data”. When applying the exception, the ICO expects data controllers to evaluate the particular circumstances of each request and balance any perceived difficulties involved with compliance against the benefits the information might bring to the data subject. The ‘fundamental nature of the right of subject access’ must also be kept in mind.
- The burden of proof to show that all reasonable steps have been taken to comply with the request rests squarely with the data controller.
- The code of practice emphasises that data controllers should engage and cooperate with the person making the request and, when dealing with complaints, the ICO will take into account the data controller’s willingness to cooperate with the data subject as well as the data subject’s response.
- Employers dealing with multiple requests from the same data subject will welcome the clarification that trying to negotiate with the data subject to limit the scope of a new DSAR to new or updated information will be accepted by the ICO. However, if the data subject insists on a full response, all information will have to be provided.
‘Collateral purpose’ of a DSAR
- The ICO expressly rejects any suggestion that a data controller can refuse to comply with a DSAR because the data subject has a ‘collateral purpose’ for making the request, i.e. they are not making the request to check or correct their personal data.
- The fact that the data subject may wish to use the information released in, for example, legal proceedings is not a relevant factor when complying with the DSAR.
Information held electronically: archiving and deleting
- Archived or backed-up electronic data should be included in DSAR responses. Although it may be more difficult to access than ‘live’ data, the ICO points out that if copies have been retained, there will be methods and processes for accessing it.
- The fact that deleted personal data may be recoverable through ‘expensive technical expertise’ does not mean that it has to be included in a response to a DSAR, provided it has been deleted (as far as possible) from an employer’s systems.
Information management systems
- The ICO requires data controllers to put in place effective information management systems which will enable them to efficiently find the information requested and allow them to redact third party data, if necessary.
The updated code of practice can be found here.