Privacy & Information Security Law Blog

On June 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an updated version of its Code of Practice on Subject Access Requests (the “Code”). The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests (“SARs”). The revisions more closely align the ICO’s position with the court’s judgments.

Key changes in the Code include:

• Disproportionate effort: Under the Data Protection Act 1998, there is an exemption from the requirement to respond to a SAR where this would involve ‘disproportionate effort.’ Despite this, the Code previously suggested that there were no circumstances where it would be reasonable to deny access to requested information for the sole reason that responding to the request would be difficult. The updated Code relaxes this position, stating that “there is scope for assessing whether, in the circumstances of a particular case, supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.” The ICO expects, however, that all controllers will evaluate the circumstances of each SAR, balancing any perceived difficulties in complying with the request against the data subject’s benefits in receiving the information.
• Dialogue with the data subject: The Code now stresses that the ICO considers it a best practice for controllers to enter into dialogue with data subjects following a SAR, allowing the data subject to describe the particular information required and potentially restricting the scope of the SAR. As the Code notes, such a practice has the potential to ensure that the response would not involve disproportionate effort on the controller’s part. It also sets out that where the ICO receives a complaint about a controller’s handling of a SAR, it may take into account the willingness of the controller to engage with the data subject, as well as the data subject’s response.
• Information management: The Code states that information management systems should be configured so that the controller can easily locate and extract relevant personal data where a SAR has been made, including any archived or back-up data relating to the data subject. It further suggests that systems should allow for the redaction of third-party data where this is deemed necessary.

Although SARs will continue to require, in some cases, considerable efforts from data controllers to provide responsive information, the impact of the Court of Appeal’s decisions has at least tempered the ICO’s previously hardline approach towards a data controller’s obligations in relation to a SAR.