The Information Commissioner’s Office (ICO) has published new updates to its Subject Access Code of Practice. The changes follow the two English Court of Appeal judgments in the Dawson-Damer v Taylor Wessing LLP and Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens cases. The ICO has also updated its CCTV Code of Practice and Guide to Data Protection.
Recent case law
The English cases of Dawson-Damer and Ittihadieh are relevant to Scottish organisations in their interpretation of the UK-wide Data Protection Act 1998 (DPA).
Section 8(2) of the DPA provides an exemption from complying with a subject access request (SAR) where “providing the information in a permanent form would involve disproportionate effort”. Dawson-Damer involved a SAR submitted to a firm of solicitors by a party on the other side of litigation. The court found that “effort” included searching for the personal data in the first instance, as well as providing copies. This was inconsistent with the ICO’s Subject Access Code of Practice up to this point.
The decision in Ittihadieh confirmed that a requester’s motive in submitting a SAR will be relevant in deciding whether the court will order a data controller to comply with the SAR. The court noted that it will also take into account whether there is a more appropriate means of obtaining the information, whether the SAR is an ‘abuse of process’ and any potential benefit to the requester.
Subject access requests
The Subject Access Code of Practice has been updated to reflect these recent decisions and the new guidance is available here.
The CCTV Code of Practice has also been revised in light of the judgment in Dawson-Damer on the scope of the disproportionate effort exemption. The guidance has also been updated to highlight that organisations must ensure the design of their CCTV systems facilitates the handling of SARs.