The Information Commissioner’s Office (ICO) has published an updated data subject access code of practice (the Code) to reflect developments following two major Court of Appeal judgments published in early 2017: Dawson-Damer and others v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others  EWCA Civ 121.
The main updates to the Code concern the extent of a data controller’s obligation to respond to subject access requests (SARs) made under section 7 of the Data Protection Act 1998 (DPA).
‘Disproportionate effort’ exception
While previously stating that the disproportionate effort exception should only be relied on in the most exceptional cases, the ICO has relaxed its position slightly, with reference to the clarification provided by the Court of Appeal, in determining that, when assessing whether complying with a SAR would involve disproportionate effort, a company “may take into account difficulties which occur throughout the process of complying with the request, including any difficulties you [the company] encounter in finding the requested information”.
However, the ICO expects the data controller to:
- evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject; and
- engage with the applicant and have an open conversation about the information they require. This readiness to engage with the data subject may be considered by the ICO where a complaint is received about the handling of a SAR.
In some instances, a SAR can appear to be a ‘fishing expedition’ for information not associated with a genuine privacy concern; however, the Code states that whether the applicant has a ‘collateral’ purpose for making the SAR (i.e., other than seeking to check or correct their personal data) is not relevant.
Chapter 6 of the Code sets out the ICO’s expectations in relation to checking electronic records for the data subject’s personal data. In particular:
- Data controllers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.
- If a data controller deletes personal data held in electronic form by removing it (as far as possible) from its computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean that the data controller must go to such efforts to respond to a SAR.
- It is good practice to have a company policy restricting the circumstances in which staff may hold information on their own devices or in private email accounts. If staff are permitted to hold personal data on their own devices, this may be within the scope of a SAR. However, the ICO would not expect a data controller to instruct staff to search their private emails or personal devices in response to a SAR unless it has good reason to believe they are holding personal data.
Dealing with SARs involving third-party information
The Code includes a three-step approach to help data controllers decide whether to disclose information relating to a third-party individual:
- Step 1 – does the request require the disclosure of information that identifies a third party?
For example, it may be possible to comply with the request without revealing information that relates to and identifies a third-party individual.
- Step 2 – has the third-party individual consented?
This is the clearest basis for justifying disclosure of third-party information in response to a SAR, so it is therefore good practice to ask the relevant third parties for consent where it is appropriate and/or possible to do so.
- Step 3 – would it be reasonable in all the circumstances to disclose without consent?
The ICO notes that the DPA provides a non-exhaustive list of factors to be taken into account when making this decision, including any duty of confidentiality owed to the third-party individual; whether the third-party individual is capable of giving consent; and any stated refusal of consent. The Code also sets out other points that are likely to be relevant:
- Whether the information is generally known to the individual making the request – e.g., it has previously been provided to the requester, is already known by them, or is generally available to the public.
- Circumstances relating to the individual making the request, such as the importance of the information to them.
- Special rules governing health, educational and social work records (as explained further in chapters 9 and 10 of the Code).
Where a data controller decides to withhold third-party information, the ICO considers that it may still be possible to provide some information, having edited or redacted it to remove information that would identify the third-party individual. The data controller must also be able to justify the decision to disclose or withhold third-party information so it is good practice to keep a record of any decisions made, including why consent was not sought or why it was inappropriate to do so in the circumstances.
Importantly, the updated Code reflects these recent case law developments, providing practical guidance on what the ICO and courts will expect to see from data controllers in responding to SARs, particularly where they are likely to require extensive search efforts. It will also provide data controllers with some comfort to know that efforts they may make to engage with data subjects to facilitate a positive or helpful interaction with regard to their SAR might help mitigate any fallout in the event of a future SAR-handling complaint to the ICO.