The ICO has issued its new Code of Practice on Dealing with Subject Access Requests (the "Code") [the Code can be found HERE]. Much of the content will be familiar to those dealing with SARs and the ICO has taken the opportunity to clarify its approach to a number of grey areas. However, it has taken an unhelpful stance in relation to issues such as the interaction between SARs and litigation, and how far a data controller must go in order to comply with a SAR.
Under section 7 of the Data Protection Act 1999 ("DPA"), individuals have the right to find out what personal data an organization possesses about them by submitting a Subject Access Request ("SAR"). Over the course of last year, the Information Commissioner's Office ("ICO") received over 6,000 complaints from employees in relation to the SAR regime, and an increasing number of requests for guidance from employers. The ICO has published its Code in response.
The Code sets out what the ICO considers to be "good practice" recommendations for compliance with the SAR regime. Whilst a breach of the recommendations themselves will not necessarily constitute a breach of the DPA, the ICO is clear that the Code is the ICO's "interpretation of what the DPA requires of organisations to comply with SARs."
The Code does contain some helpful guidance, including some practical examples on the use and application of various exemptions from the obligation to provide personal data. Of particular help to employers is likely to be the confirmation in the Code that there is no need to search deleted data. However, a number of the Code's recommendations are very far reaching and likely to be impractical for the majority of employers, such as the suggestion that compliance with SARs be monitored and discussed at "information governance steering group meetings", and that there should be a dedicated IT system to process SARs. A previous suggestion that there should be a minimum of two layers of quality review in respect of any redacted data, i.e. to confirm that all data has been excluded appropriately, has been reduced to a minimum of one quality review.
Although raised in the course of consultation as steps that would be impractical for the vast majority of data controllers (involving a significant level of dedicated resource) the ICO has nevertheless retained them as examples of "good practice". In our view, this goes further than required by the terms of the DPA itself.
Of most concern to employers will be the ICO's approach to (1) SARs in the context of litigation; (2) whether employers can rely on the "disproportionate effort" exemption to limit the scope of the SAR; and (3) searching of electronic archives.
The ICO's view, as expressed in the Code, is that an employer cannot refuse to supply personal data in response to a SAR simply because it is requested in connection with actual or potential legal proceedings. Whilst the Code recognizes that there is a discrepancy between the DPA and established case law on this point, its view is that the right of subject access overrides any other legal rule limiting disclosure.
A data controller must supply a copy of the data obtained in the context of a SAR in permanent form unless the supply of such a copy would involve disproportionate effort. Employers have, in the past, sought to use this as a means to limit the scope of a search. However, the ICO makes it clear that the exemption applies only to the act of supplying data and not to the act of locating it (the step at which the majority of costs are incurred). The Code states that: "you cannot refuse to comply with a SAR on the basis that it would involve disproportionate effort, simply because it would be costly and time consuming to find the requested personal data held in archived emails." They also make it clear that "we rarely hear of instances where an organisation could legitimately use disproportionate effort as a reason for denying an individual access to any of their personal data."
The Code clearly provides that a data subject is entitled to copies of his/her personal data held in electronic archives (including on the Cloud). The ICO's rationale being that "as you have decided to retain copies of the data for future reference, you will presumably be able to find the data... So you will be required to provide such information in response to a SAR."
The Code usefully gathers together the ICO's guidance on SARs which had previously been contained in various guidance notes, and clearly articulates the ICO's approach to a number of issues. However, a number of its good practice recommendations are unlikely to be practical or feasible for the vast majority of data controllers.
The approach of the Code in relation to the disproportionate effort exemption, and compliance with SARs in the context of actual or potential litigation, is particularly unhelpful. In relation to the latter, the Code fails to resolve the conflict between the approach of the ICO and that of the courts. The courts have held that, if the provision of information is best dealt with through the disclosure process in the context of ongoing litigation, it may be appropriate to refuse to order personal data to be disclosed in response to a SAR. The Code notes that, although a court may choose not to enforce an individual's right of subject access, that does not mean that the ICO will not.
On this point, our recent experience is that the ICO is becoming more active in the sphere of enforcing subject access rights. However, although the ICO's powers to enforce include criminal prosecution, non-criminal enforcement and the power to issue fines, in practice it is likely to adopt a less severe sanction, such as an audit, in a case of non-compliance with the subject access regime.