The ICO has updated its subject access code of practice (the Code) to reflect recent developments in case law.
The Code is of interest to all organisations that hold personal data as it reflects the Information Commissioner’s Office’s (ICO) interpretation of what is required to deal with subject access requests (SARs) under the Data Protection Act 1998 (DPA).
The ‘disproportionate effort’ exception
One aspect of the code that has been amended to reflect recent Court of Appeal case law relates to the ‘disproportionate effort’ exception.
Under section 8(2) of the DPA the obligation to supply a person requesting access with a copy of the requested information in permanent form does not apply where doing so is impossible or would involve ‘disproportionate effort’. The DPA does not define ‘disproportionate effort’ but as we have previously reported, the judgment in Dawson-Damer v Taylor Wessing LLP, together with the Ittihadieh/Deer and Oxford University cases clarified aspects of the exception.
Chapter 8 of the updated Code states that:
- In assessing ‘disproportionate effort’ a data controller may factor in difficulties which occur throughout the process of complying with the request, including those in locating the requested information
- The ICO expects data controllers to assess the circumstances of each request and balance difficulties in complying against the benefit the information may bring to the requester.
- To establish that the exception applies, the burden of proof is on the data controller to show that all reasonable steps to comply with the SAR have been taken, and that it would be disproportionate in all the circumstances to take further steps.
- It is good practice for data controllers to engage with the requester about the information they require.
- Even if it is possible to show that there is ‘disproportionate effort’ in providing a copy of the information in permanent form, the data controller must try to comply in some other way, as agreed with the requester.
Further changes to the Code
In addition to amendments relating to ‘disproportionate effort’ other changes to the Code include the following:
- Handling SARs: Chapters 5 and 6 have been amended to highlight that an organisation’s information management systems should facilitate dealing with SARs, and that any new system(s) implemented should be designed in order to comply with the DPA and dealing with SARs
- National scope of legal professional privilege exemption: Chapter 9 has been updated to clarify that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
- Court’s discretion under s7(9) DPA: Chapters 9 and 11 have been amended to state that the court has a wide discretion as to whether or not to order compliance with a SAR. It is clarified, however, that the requester’s purpose for making a SAR (for instance as a precursor for legislation) is irrelevant.
- Educational records: Chapter 10 has been updated to clarify that the ICO is not the responsible regulator regarding legislation on access to pupils’ educational records.
- Enforced SAR: Chapter 11 reinstates the fact that forcing an individual to make a SAR is a criminal offence.
The ICO highlights that, whilst current attention is rightly focused on the forthcoming GDPR, the DPA is, for now, current law. As such, the ICO is committed to ensuring that guidance evolves to reflect case law on the interpretation of the DPA. Organisations should familiarise themselves with the changes to the Code to ensure they continue to comply with current data protection legislation.
The updated Code can be found here.