ICO Releases Consultation On Subject Access Code Of Practice

After the need for privacy and cookie policies, subject access requests are perhaps the most common area in which organisations recognise they have compliance obligations under the Data Protection Act 1998 (DPA). We digest some of the less well-known points coming out of the Information Commissioner’s Office’s (ICO) draft Code of Practice, released for consultation on 13th December.

Key points

  1. This is not a simple issue for all organisations. The draft Code runs to some 60 pages, which is illustrative of the extensive list of issues that can arise.
  2. The ICO view subject access as part of good customer relationship management, to be treated no differently to any other customer query. Do it well, and your customer perception and brand will be enhanced.
  3. You need a decent personal data management system. Without one, the ICO highlights that subject access requests can be very challenging. That said, subject access requests are just the tip of the iceberg. Meaningful compliance with all of the DPA’s requirements is difficult without proper processes, controls, training, audit and improvement mechanisms in place. This problem will only get worse (and the consequences far greater) if the draft EU General Data Protection Regulation becomes law in its present format, so if you don’t have an appropriate system, it would be worth thinking about one sooner rather than later.
  4. The ICO encourage responses in electronic format where requested, such as using .CSV or similar file formats for the delivery up of related information. This trend is very interesting as it is directly encouraging voluntary steps towards the world envisaged by midata and the draft EU General Data Protection Regulation, which both mandate electronic data provision in certain circumstances. Organisations who put processes in place to comply with this recommendation will be at the forefront of compliance and probably have less to do once such proposals become law.
  5. Responses have to be in intelligible form, although this does not mean the responses have to be intelligible to the actual person requesting them in all circumstances. The ICO state as an example a situation where an individual’s English language skills are limited and state you do not have to translate everything. You can get into equality issues though. The position would certainly be different if the requesting individual were disabled; for example, a blind person could legitimately ask for a braille version. In all cases, you would have to explain any material organisational jargon or abbreviations you use. Issues in this area can be particularly complicated if people request technical or computer-generated information such as behavioural data.
  6. If the requested information includes information on other individuals, you need to balance each individuals competing interests; that of the requester to their data versus that of the other person to confidentiality. This exercise is not easy.
  7. There are exemptions but these should not be over-emphasised. They are relatively limited, and in particular do not extend to circumstances where legal claims are possible unless an organisation can legitimately claim legal professional privilege (this is a particularly common question).
  8. The DPA offers limited protection from vexatious and unreasonable requests which are a relatively common problem for some organisations, and can be time-consuming and distressing to deal with on occasion. There is an exemption from the provision of information under the DPA where this involves “disproportionate effort” but the ICO goes to some lengths to say this should only be used in exceptional cases, and is generally of the view that “information stored in electronic form can easily be found and retrieved”. Archived and deleted records raise particular issues though.

Why should I bother about the Code?

As with all codes of practice, its contents will not be legally binding, and the ICO does highlight that its recommendations on best practice actually go further than the Data Protection Act 1998 actually requires in some areas.

Nevertheless, once finalised the code is worth bearing in mind, not least because of the rise and rise of privacy in the public consciousness, growing complexity of access issues (e.g. the scope of electronic personal data being held by consumer-facing organisations), and tendency for individuals to feel aggrieved and complain to the ICO if they put in an access request and do not meet with a positive experience.

The draft EU General Data Protection Regulation will also raise the data protection bar significantly if (or when) it becomes law in its present format. The better your practices, the easier the leap up will be.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.