Following a series of court decisions earlier this year, the Information Commissioner’s Office (ICO) has issued an updated version of its code of practice on Subject Access Requests (SARs). The revised code addresses a number of difficult issues in relation to SARs, including how the rules on disproportionate effort should be interpreted.

Background

Earlier this year, the Court of Appeal in England issued its judgments in a number of SAR cases: Holyoake v CPC & Christian Candy, Dawson-Daimler v Taylor Wessing and the joint appeals of Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University. The Court of Appeal’s judgments provided some clarity on the law and, in some instances, adopt a different approach to that taken previously by the ICO in its SAR Code.

What does the new Code say?

The Code has been updated to deal with a number of key points coming out of the Court of Appeal decisions: the scope of the disproportionate effort exception; the data subject’s motives for making the request; and the Court’s discretion to use its enforcement powers.

Disproportionate effort

Previously, the ICO’s view was that the reference in section 8(2) to disproportionate effort applied only to making available the personal data once it had been located by the data controller. The Court of Appeal disagreed. The exception has a wider application.

Taking into account the Court of Appeal decisions, the ICO has updated section 8 of the Code, The Code acknowledges that the steps controllers are required to take when responding to a SAR must be reasonable and proportionate. However, if a controller decides that it is not going to take certain steps on the basis that they are not reasonable and proportionate, it will need to be able justify that approach:

[w]e expect you to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.

In particular:

…the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR.

If a controller considers that complying with the request may involve disproportionate effort, then the ICO expects that controllers will discuss this with the data subject to see whether the scope of the request can be refined or narrowed. If a controller does not engage in discussions with the data subject then the ICO will take this into account when dealing with any complaint about the controller’s handling of the DSAR.

Disproportionate effort and emails

The ICO has tweaked its guidance in relation to providing access to information in emails. Whereas previously the ICO said that controllers cannot refuse to comply with a SAR on the basis of disproportionate effort “simply because it would be costly and time consuming” to find information in archived emails, the ICO now acknowledges that the disproportionate effort exception may apply.

However, controllers cannot use it as the basis for a blanket refusal. Controllers must still do what is proportionate in the circumstances.

Motives behind the SAR

The ICO has also clarified its guidance to make clear that the motives behind a SAR (ie a purpose other than simply checking what information is held and whether it is correct) are not relevant. However, it is for the courts to decide whether or not to enforce compliance.

Scope of the Court’s enforcement powers

As the Court of Appeal noted in the Dawson-Daimler case, there is “nothing in the Data Protection Act or the Directive that limits the purpose for which a data subject may request his data,” but the court does have discretion in deciding whether to enforce compliance with a SAR.

The ICO has updated its guidance to incorporate the range of factors identified by the Court of Appeal as being things that a court can take into account when deciding whether or not to order an organisation to comply with a SAR. These include:

  • the nature and gravity of the data controller’s breach of its obligations under section 7 of the DPA (which deals with SARs)
  • the general principle of proportionality
  • balancing the fundamental right of the individual right of subject access with the interests of the data controller
  • prejudice to the individual’s interests
  • whether there is a more appropriate route to disclosure
  • where there is an abuse of process or conflict of interest

As the ICO notes, these factors do not affect the obligation of a controller to make a disclosure in response to a SAR, but instead are relevant to whether a court will decide to compel a controller to comply where it has previously refused to do so. How a court will weigh up these factors remains unclear. Organisations will therefore need to think carefully when deciding not to comply with a SAR on the basis of any of these grounds and be able to justify to a court why the court should use its discretion not to order compliance.

Where can I find the new Code?

You can download the new code of practice from the ICO’s website.