The Information Commissioner’s Office (ICO) has published a new code of practice to assist organisations when dealing with a subject access request under the Data Protection Act.
The new code
The new code, which can be accessed from the ICO’s website (PDF), provides organisations with detailed guidance on the subject access process and what the law requires.
In particular, the code provides guidance on potentially tricky issues such as requests for information in relation to children, the extent to which archived or deleted information is within scope, and requests for information that also include information about third parties.
Subject access requests – ten steps
In addition to the new guidance, the ICO has also published a list of ten simple steps that organisations should follow when dealing with subject access requests:
- Identify whether a request should be considered as a subject access request
- Make sure you have enough information to be sure of the requester’s identity
- If you need more information from the requester to find out what they want, then ask at an early stage
- If you’re charging a fee, ask for it promptly
- Check whether you have the information the requester wants
- Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing
- But do consider whether the records contain information about other people
- Consider whether any of the exemptions apply
- If the information includes complex terms or codes, then make sure you explain them
- Provide the response in a permanent form, where appropriate
Audit of online businesses
The ICO has also announced that it is to carry out an audit of how a number of websites and online businesses deal with subject access requests.
The “subject access sweep” will cover organisations in the public, private and third sector, and look at how they deal with subject access requests, with the results forming part of a report to be published next year.
Time to review your subject access request policies
It’s not clear whether the ICO is planning to name and shame organisations that fail to comply with their obligations, but the new guidance and proposed audit should act as a catalyst for organisations of all shapes and sizes to review their data retention policies and their procedures for dealing with subject access requests.
Brodies can help guide you through that review process and help you to develop policies and procedures that will assist you to comply with your obligations under the Data Protection Act. To find out more, please get in touch.
On August 9, 2013