The Information Commissioner’s Office (ICO) has updated its subject access code of practice to reflect developments in recent Court of Appeal judgments.
Organisations should find this updated guidance helpful in responding to Subject Access Requests (SARs) in line with court and ICO expectations, particularly where requests are likely to involve extensive search efforts.
Data controllers (i.e. employers) may be glad to see that the co-operation of the requester will be factored into complaint handling by the ICO, which may assist with difficult requesters.
The main updates to the code concern obligations on data controllers in responding to SARs in relation to the “disproportionate effort” exception and SARs made for collateral purposes.
In relation to assessing disproportionate effort, the guidance notes that:
- Data controllers may take into account difficulties which occur throughout the process of complying with a SAR, including any difficulties in finding the requested information.
- The ICO expects data controllers to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject (i.e. employee).
- The burden of proof is on the data controller to demonstrate that all reasonable steps to comply with the SAR have been taken and that it would be disproportionate in all the circumstances to take further steps.
- The ICO considers it good practice to engage with the requester in open conversation about what information they require, which may avert unnecessary costs and effort in searching.
- If it receives a complaint about a SAR, the ICO may take into account a data controller’s readiness to engage with the requester and balance this against the benefit and importance of the information to them, in addition to the requester’s level of co-operation in handling the request.
The ICO also notes that whether or not a requester has “collateral” purposes (that is, other than seeking to check or correct their personal data) for making the SAR is not relevant.
Further changes to the code encourage data controllers to have well-designed and maintained information management systems to locate and extract data requested and to redact third party data.