Image of boat and water.

ICO publishes updated Subject Access Code of Practice

Published on 25 September 2017

How should data controllers respond to subject access requests (SARs)?

The background

The Information Commissioner's Office (ICO) has updated its Subject Access Code of Practice, originally published in 2013, to reflect the guidance of the Court of Appeal in Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74 and Ittihadieh v 5 – 11 Cheyene Gardens [2017] EWCA Civ 121.

The development

Arguably the most important development outlined in the amended Code relates to the “disproportionate effort” exception.  By way of reminder, section 8(2) of the Data Protection Act states that the obligation to supply a requestor with a copy of the requested information in permanent form does not apply where doing so would involve disproportionate effort.  

The ICO attempts to codify the developments made by the Court of Appeal in the Dawson-Damer and Ittihadieh cases with regard to the exception.  The Code states that:

difficulties throughout the process of complying with a request (e.g. in locating the requested information) may be taken into account when assessing disproportionate effort
the data controller should assess each request, balancing the effort in complying against the potential benefits the requestor might gain from the information
the burden of proof is on the data controller to show that all reasonable steps in order to comply with the SAR have been taken, and that further steps would be disproportionate
even if there is a demonstrable disproportionate effort in providing permanent form copies, a data controller must try to provide the information in some other way.

Additional amendments to the Code require that data controllers:

co-operate with the applicant – in other words, to engage with the requester about the information they require
disregard the purpose of the SAR – the Code clarifies what we learned in Dawson-Damer: the applicant's collateral purpose (other than seeking to check or correct their personal data) in making the SAR is irrelevant to the obligation of a data controller to comply with the request
beware of ICO enforcement – the ICO will now have the power to serve enforcement notices if it considers that an organisation has failed to comply with the subject access provisions.  However, it will only take action if it is reasonable to do so, and it will not require organisations to take unreasonable steps to comply.

Why is this important?

Whilst attention is currently focused on the upcoming GDPR, the ICO reminds us that the Data Protection Act and the associated cases are the current law.  The revised Code is important not only because it reflects up-to-date case law, but also because it gives an indication of how the ICO expects to see SARs dealt with in practice, particularly where requests are likely to involve extensive search efforts.  

Any practical tips?

If you are wondering how to respond to a SAR, read this Code! Following the guidance, and even reflecting its language and tone in dealing with applicants may make a huge difference if your response is ever investigated.  Remember that SARs become free (i.e. no £10 payment required) when the GDPR lands – and when something becomes free, it becomes very popular. So the sooner your business starts dealing with SARs in the correct way, the better placed it will be in dealing with what may become a tsunami of SAR requests post May 2018.

Stay connected and subscribe to our latest insights and views 

Subscribe Here