The Information Commissioner’s Office (ICO) has published the subject access code of practice to give practical advice to organisations on how to handle requests from individuals for their personal data, often referred to as “subject access requests”.
Individuals are entitled to be:
- told whether any personal data has been processed;
- given a description of the personal data, the reasons that it is being processed and whether it will be given to any other organisation or people;
- given a copy of the personal data; and
- given details of the source of the data.
An individual can also request information about the reasoning behind any automated decisions taken about them.
To be classified as “personal data”, the information must relate to a living individual and allow the individual to be identified from it.
The code provides guidance to organisations on how to recognise and respond to a request, find and retrieve the information needed to respond to a request, deal with requests involving third party information and supply the information to the requester. It also provides guidance on the limited circumstances in which personal data is exempt from disclosure and how individuals can enforce their rights of subject access.
The ICO has published 10 simple steps which organisations should consider when responding to subject access requests. These are:
- Identify whether a request should be considered as a subject access request.
- Make sure you have enough information to be sure of the requester’s identity.
- If you need more information from the requester to find out what they want, then ask for it at an early stage.
- If you are charging a fee, ask for it promptly.
- Check whether you have the information the requester wants.
- Do not be tempted to make changes to the records, even if they are inaccurate or embarrassing.
- Consider whether the records contain information about other people. You will not have to supply the information about other people mentioned unless they have given their consent or it is reasonable to supply the information without their consent.
- Consider whether any of the limited exemptions detailed in chapter 9 of the code apply. If all the information that the requester wants is exempt from subject access then you can reply that you do not hold any of their personal data that you are required to reveal.
- If the information includes complex terms or codes, then make sure you explain them.
- Provide the response in a permanent form, where appropriate.
The code itself does not have the force of law and the ICO cannot take enforcement action over a failure to adopt good practice or to act on the code’s recommendations, unless this itself breaches the Data Protection Act 1998.
However, the code will be welcome guidance for organisations that handle subject access requests.
Myerson are the premier corporate commercial solicitors in Cheshire and South Manchester.