ICO revised code of practice for dealing with subject access requests

The ICO has recently published a revised Code of Practice on subject access requests (SARs).

The development

The Code of Practice incorporates principles from the recent Dawson-Damer and Ittihadieh/Deer judgments, and offers fresh guidance on how the ICO expects data controllers to deal with subject access requests in practice.

The key amendments

The burden of compliance on the data controller

Tracking the trend of recent case law, the ICO has been forced to adopt a more data controller-friendly standpoint on the burden of compliance with a SAR. As recently confirmed by the Court of Appeal, data controllers are required to take reasonable and proportionate steps in complying with SARs. Nonetheless, this does not mean they can merely assert disproportionality without due consideration.

In asserting that steps would be disproportionate, the burden of proof is on the data controller to show that it has taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for it to take further steps. When doing so, the data controller must “evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.”

Encouraging dialogue between the data controller and the applicant

The ICO has made clear that it expects to see parties engage in productive dialogue about SARs:

“We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information.

If we receive a complaint about your handling of a subject access request, we may take into account your readiness to engage with the applicant and balance this against the benefit and importance of the information to them, as well as taking into account their level of co-operation with you in the course of the handling of a request.”

The extent of the search – archived/backup/deleted data

The revised Code contains a lengthy and helpful discussion regarding issues with information contained in archived/backup/deleted materials (at pages 29-30). The key takeaways are that:

• data controllers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. Although the process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data, data controllers will generally be required to provide such information in response to a SAR

• to the extent that data controllers’ search mechanisms allow them to find archived or backed-up data for their own purposes, they should use the same effort to find information in order to respond to a SAR that requests such data

• the ICO does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management.

The ICO’s own powers to get involved in disputes about SARs

The ICO has confirmed its enforcement powers, asserting that it can serve an enforcement notice, but clarifying that:

“The Information Commissioner will not necessarily serve an enforcement notice simply because an organisation has failed to comply with the subject access provisions. Before serving a notice she has to consider whether the contravention has caused or is likely to cause any person damage or distress. She can serve a notice even though there has been no damage or distress but it must be reasonable, in all the circumstances, for her to do so. She will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access.”

SARs submitted via social media

The ICO also confirmed that organisations cannot ignore SARs submitted through social media channels.

“Individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites,” the ICO said. “This might not be the most effective way of delivering the request in a form you will be able to process quickly and easily, but there is nothing to prevent it in principle”. It is worth noting that the ICO’s guidance here is slightly more generous than the COA’s position in Ittihadieh, ie that the data subject’s written communication must “make it clear that the data controller is being called upon to comply with the statutory duty under section 7(1) [of the Data Protection Act]”. It remains to be seen how this distinction will be reconciled in practice.

Organisations may decline to use social media to supply information in response to a SAR if technological constraints make it impractical, or if information security considerations make it inappropriate to do so. In such circumstances, the ICO recommends that organisations should ask for an alternative delivery address for the response.

Why is this important?

According to the ICO’s own statistics, mishandling of SARs is the number one data protection issue complained-about by the public. Last year, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

The number of SARs made (and the pressure on organisations frequently ‘SAR’d’) is unlikely to let up anytime soon. From 25 May 2018, the £10 fee payable by a data subject making a SAR is to be abolished, and shortened timeframes will apply for responding to SARs (40 calendar days to 30).