The Information Commissioner's Office (ICO) has updated its subject access code of practice to reflect developments in recent judgments.
The courts have recently handed down significant decisions relating to data controllers' obligations when responding to subject access requests ("SARs") as detailed in our March alert here. The ICO has updated its Subject Access Code of Practice to reflect these decisions.
Disproportionate effort exception: The Code has modified its stance on when the disproportionate effort exception applies, and taken the steer from the courts that it applies to all aspects of a data controller's compliance (and not just at the stage of providing the results to the individual). That said, the Code states that the "DPA places a high expectation on [data controllers] to provide the information in response to a SAR", and that the disproportionate effect exception cannot be used to justify a blanket refusal of a SAR, as the data controller is required to respond in a proportionate way. The guidance notes that, in relation to assessing whether the effort required is disproportionate and the response reasonable:
Data controllers may take into account difficulties which occur throughout the process of complying with a SAR, including any difficulties in finding the requested information.
The ICO expects data controllers to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, while bearing in mind the fundamental nature of the right of subject access.
The burden of proof is on the data controller to demonstrate that all reasonable steps to comply with the SAR have been taken and that it would be disproportionate in all the circumstances to take further steps.
The ICO considers it good practice to engage with the requester in open conversation about what information they require, which may avert unnecessary costs and effort in searching.
If it receives a complaint about a SAR, the ICO may take into account a data controller's readiness to engage with the requester and balance this against the benefit and importance of the information to them, in addition to the requester's level of co-operation in handling the request.
Even if a data controller can show that complying with a SAR would involve disproportionate effort, they must still comply with it in another way, if the requester agrees.
Collateral Purposes and court orders enforcing SAR compliance
In practice, SARs are often made by employees in the context of grievances or to get information early in litigation. The ICO's updated guidance makes clear that whether or not a requester has "collateral purposes" for making the SAR is not relevant in and of itself, although it will be relevant to the reasonableness of any response. If, for example, disclosure is due in litigation shortly after a SAR is made, it may well be reasonable to wait and provide the information through the court process. The ICO's position on this is largely unchanged, and was broadly endorsed by the courts in the recent cases.
The court has a wide discretion in deciding whether or not to order compliance with a SAR, and the guidance on this has been updated.
The Code also now encourages data controllers to have well-designed and maintained information management systems to locate and extract data requested and to redact third party data.
What does this mean for employers?
The updated guidance provides welcome clarification of the ICO's response to the recent cases and approach to potential breaches of SARs. Balancing the right to have a SAR complied with against the disproportionate effort involved in responding will require specific consideration in each case. However, the ICO's guidance around engaging with the requester over the parameters of the request, and whether there are alternative ways of providing the information is helpful, and may prove very useful with an intransigent requester where the burden of complying with the request is onerous and the benefit to the requester is limited.