Out-Law News 4 min. read

ICO drafts new code of practice on dealing with subject access requests


Organisations "must make extensive efforts" to find all the personal data relating to an individual when those individuals request access to the information, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) has opened a consultation on a draft code of practice (60-page / 331KB PDF) on 'data subject access' rights and responsibilities under the Data Protection Act (DPA). The watchdog said that organisations cannot omit some personal data when responding to a 'subject access request' (SAR) just because it may be difficult to locate.

"You must make extensive efforts to locate personal data that is relevant to a SAR," the ICO said in its draft code. "Having made those efforts, however, you are not obliged to leave no stone unturned in your search for relevant information."

Under the DPA organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request.

In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

The ICO said that "some commentators" have expressed the view that the 'disproportionate effort' rules does not just apply to the difficulty in supplying personal data following a SAR, but also to locating that information after a High Court ruling in 2007. However, the watchdog said it was its view that the case "does not provide authority for that view".

Organisations should ask requesters for information that they "reasonably need" in order to find personal data that is requested, the ICO said. Refusing to deal with a request just because there is not enough information provided by requesters to locate the data is not acceptable, it said.

"The type of information that it might be reasonable for you to ask for includes, where personal data is held in electronic form, information as to the type of electronic data being sought (application form, letter, email etc) and the approximate date of the creation of the data," the ICO said. "This may assist you in identifying whether the information sought is likely to have been archived (either printed off and held in a manual data archive or removed from your ’live’ electronic data systems and held in an electronic archive) or deleted."

Organisations need to have "procedures" in place for finding and retrieving personal data that is stored on electronic archives or back-up drives, it said. However, the watchdog said that organisations do not have to provide personal data if it has been deleted, even if it is technically possible to retrieve it from IT systems.

"Information is ‘deleted’ when you attempt to permanently discard it and you have no intention of ever attempting to access it again," the ICO said. "It is the Information Commissioner’s view that, if you delete personal data held in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable the deleted information to be recreated does not mean that you must go to such efforts to respond to a SAR."

"The Commissioner would not seek to take enforcement action against an organisation which has failed to use extreme measures to recreate previously ‘deleted’ personal data held in electronic form. The Commissioner does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management arrangements," it added.

The ICO said, though, that personal data contained in the 'deleted items' folder in email software is subject to disclosure when a relevant SAR is received. Although it may be difficult to locate personal data contained in emails where those emails are no longer on 'live' systems, organisations still have to try to find the information using appropriate effort, it said.

"You cannot refuse to comply with a SAR on the basis that it would involve disproportionate effort simply because it would be costly and time consuming to find the requested personal data held in archived emails," the ICO said.

If personal data is held on employee's own devices or in private email accounts it may still be subject to disclosure in response to a SAR, the ICO said. It said, though, that it is "good practice" to have policies in place "restricting the circumstances in which staff" hold personal data this way.

"If you do permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it would be within the scope of a SAR which is made to you," according to the draft code. "The purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless there is a good reason to believe that they are holding relevant personal data."

The ICO's draft code also outlines how organisations should deal with SARs made by third parties, such as family members through a power of attorney, on behalf of individuals. It said that it will be "reasonable in many cases" to deem a child aged 12 or over to be sufficiently "mature" to make a SAR themselves and that organisations should therefore not send responses to parents in those circumstances. The ICO has set out criteria to help organisations make decisions on child SARs in borderline cases.

"Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, eg, to a parent or guardian," the ICO said. "So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them."

"In Scotland, the law presumes that a child aged 12 years or more has the capacity to make a SAR, The presumption does not apply in England and Wales or in Northern Ireland, but it does indicate an approach that will be reasonable in many cases. It does not follow that, just because a child has capacity to make a SAR, they also have capacity to consent to sharing their personal data with others – as they may still not fully understand the implications of doing so," it added. 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.