The Information Commissioner’s Office (ICO) launched a consultation on the new Draft subject access code of practice on 29 November 2012. The closing date for responses to the consultation is 21 February 2013. It is hoped the code will assist both individuals who wish to make a subject access request and organisations to understand their obligations under the Data Protection Act (DPA). It is also hoped this code will assist organisations to handle subject access requests, as well as support the public in taking control of their personal information.

The DPA allows any living individual the right to find out what information an organisation holds about them by making a subject access request under Section 7 of the Act. For the NHS, the most frequent requests are for patient’s medical records. Usually an organisation has 40 days to reply to this request.

The ICO states that during the last financial year, it dealt with almost 6,000 complaints from individuals who felt that organisations were not complying with the law by allowing them to view their files. It is hoped that the final version of the code will clear up any confusion by clearly explaining an organisation’s legal responsibilities and an individual’s rights under the Act.

The code is divided into the following sections which deal with the following:

  • The purpose of the code of practice, who the code should be used by, the code status and further information
  • An overview of subject access requests
  • Taking a positive approach to subject access
  • Recognising a subject access request
  • Responding to a subject access request
  • Finding and retrieving the relevant information
  • Dealing with subject access requests involving other people’s information
  • Supplying information to the requester
  • Exemption
  • Special cases
  • Enforcing the right of subject access