A reminder that last month the ICO published its updated Subject Access Code.

The Code does not override the Data Protection Act, but provides the ICO’s interpretation of the subject access provisions in the Act and its recommendations for good practice. 

The purpose of the Act’s subject access regime is to enable requesters to verify the accuracy of their personal data and the lawfulness of its processing. 

The Code covers matters such as:

  • recognising subject access requests, including those made through social media such as Facebook and Twitter;
  • the interaction between the Freedom of Information and Data Protection regimes;
  • using appropriate information management systems and document retention policies;
  • responding to “bulk” subject access requests (requests by multiple individuals);
  • clarifying the scope of subject access requests and determining what data is held;
  • dealing with requests which involve another person’s personal data;
  • supplying information to the requester;
  • applying the “disproportionate effort” exemption, and dealing with repeated or unreasonable requests;
  • applying the DPA restrictions and exemptions, including the special provisions that apply to certain types of request such as those relating to exam results, exam scripts, school records and health records.