On August 9, 2013 the UK Information Commissioner’s Office (“ICO”) published a new code of practice providing guidance to organizations on how to respond to subject access requests (the “Code”). The Code follows a public consultation on a draft code during 2012 and 2013.
Under the UK Data Protection Act 1998, individuals are entitled to access (1) the personal data an organization processes about them, (2) the purpose of the processing, (3) whether the organization shares the personal data with any third parties, and (4) the source of the personal data.
The ICO has published a quick reference checklist on ten simple steps that organizations should consider when responding to subject access requests. As outlined in the ICO’s press release, the steps include:
- Identify whether a request should be considered as a subject access request.
- Make sure you have enough information to be sure of the requester’s identity.
- If you need more information from the requester to find out what they want, then ask at an early stage.
- If you’re charging a fee, ask for it promptly.
- Check whether you have the information the requester wants.
- Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing.
- But do consider whether the records contain information about other people.
- Consider whether any of the exemptions apply.
- If the information includes complex terms or codes, make sure you explain them.
- Provide the response in a permanent form, where appropriate.
Launching the Code, UK Information Commissioner Christopher Graham highlighted the role access requests can play in empowering data subjects. “We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data.” He also stressed that access requests can benefit organizations by highlighting inaccuracies in records.
The ICO will carry out a review of websites later this year to look at the information organizations provide to anyone who may seek to make a subject access request, and will publish a report of its findings early next year.