IP, Technology & Data

The Information Commissioner’s Office (ICO) has published a new code of practice to assist organisations when dealing with a subject access request under the Data Protection Act.

The new code

The new code, which can be accessed from the ICO’s website (PDF), provides organisations with detailed guidance on the subject access process and what the law requires.

In particular, the code provides guidance on potentially tricky issues such as requests for information in relation to children, the extent to which archived or deleted information is within scope, and requests for information that also include information about third parties.

Subject access requests – ten steps

In addition to the new guidance, the ICO has also published a list of ten simple steps that organisations should follow when dealing with subject access requests:

  • Identify whether a request should be considered as a subject access request
  • Make sure you have enough information to be sure of the requester’s identity
  • If you need more information from the requester to find out what they want, then ask at an early stage
  • If you’re charging a fee, ask for it promptly
  • Check whether you have the information the requester wants
  • Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing
  • But do consider whether the records contain information about other people
  • Consider whether any of the exemptions apply
  • If the information includes complex terms or codes, then make sure you explain them
  • Provide the response in a permanent form, where appropriate

Audit of online businesses

The ICO has also announced that it is to carry out an audit of how a number of websites and online businesses deal with subject access requests.

The “subject access sweep” will cover organisations in the public, private and third sector, and look at how they deal with subject access requests, with the results forming part of a report to be published next year.

Time to review your subject access request policies

It’s not clear whether the ICO is planning to name and shame organisations that fail to comply with their obligations, but the new guidance and proposed audit should act as a catalyst for organisations of all shapes and sizes to review their data retention policies and their procedures for dealing with subject access requests.

Brodies can help guide you through that review process and help you to develop policies and procedures that will assist you to comply with your obligations under the Data Protection Act. To find out more, please get in touch.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me