ICO updates its subject access Code of Practice

The Information Commissioner’s Office in the UK (ICO) has updated its Subject Access Code of Practice (the Code) which deals with requests from individuals for personal information. The amendments are mainly to reflect the Court of Appeal’s decisions in the recent cases of Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Deer v University of Oxford [2017] EWCA Civ 121.

In the UK under the Data Protection Act 1998 (DPA 1998) a data subject, such as an employee, has a right, on making a subject access request (SAR) to the data controller (the employer), to be informed whether personal data of which he is the data subject is being processed. If so, the employee also has a right to certain information relating to that personal data and a copy of the data in permanent form must be provided. The Code is published to assist organisations in dealing with these requests.

Section 8(2) DPA 1998 provides an exemption to the requirement to provide a copy of the information in permanent form, where to do so would involve “disproportionate effort”. The updates to the recent version of the Code largely concern considerations of the “disproportionate effort” exception as a result of guidance in the recent cases referred to above. Whilst the Code makes it clear that “the DPA places a high expectation on you to provide information in response to a SAR” and that the disproportionate effort exception ” cannot be used to justify a blanket refusal” of a SAR, the ICO notes that the court has explained the scope for assessing whether, in the circumstances of a particular case, the disproportionate exception may apply. In relation to assessing disproportionate effort, the guidance notes that:

• Data controllers may take into account difficulties which occur throughout the process of complying with a SAR, including any difficulties in finding the requested information.
• Data controllers are expected to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.
• The burden of proof is on the data controller to demonstrate that all reasonable steps to comply with the SAR have been taken and that it would be disproportionate in all the circumstances to take further steps.
• It is good practice to engage with the requester in open conversation about what information they require, which may avert unnecessary costs and effort in searching. If it receives a complaint about the handling of a SAR, the ICO may take into account a data controller’s readiness to engage with the requester.
• Even if the employer can show that complying with a SAR would involve disproportionate effort, it must still comply with it in another way, if the requester agrees. For example, if supplying hard copies would involve disproportionate effort, the parties may agree that it is appropriate to allow the individual to view the original documents with specific requests for copies.

The Code also looks at the motive behind an individual’s request. It now expressly states that whether or not a requester has a “collateral” purpose (that is, other than seeking to check or correct their personal data) for making the SAR is not relevant. However, although the right is “purpose blind” , a court has a wide discretion in deciding whether or not to order compliance with a SAR under section 7(9) of the DPA. In addition the Code provides updated guidance on the various factors a court may wish to consider in exercising its discretion.

The General Data Protection Regulation (GDPR) will bring further changes to an employee’s rights on a data subject access request (see our previous blog The GDPR – what does it mean for HR? However, clarification on these points in the Code is to be welcomed.