The ICO explained how rules under the Data Protection Act on handling individuals' requests for personal data apply to organisations that allow employees to store such information on their own devices in a newly revised code of practice on subject access requests (SARs) (66-page / 433KB PDF).
Under the Data Protection Act people have a right to obtain a copy of the personal data organisations hold on them upon filing a request for that information. This includes employees requesting data held by employers. Those requests are called data subject access requests (SARs) and must generally be complied with within 40 days.
Supplemental information also has to be disclosed by organisations alongside the personal data they provide in response to SARs. That includes information about the type of personal data they hold about the requester, what the purposes of their processing is and details of the third parties to whom the requesters' data may be disclosed, as well as the logic involved in any decisions taken on the basis of personal data processing carried out by computer algorithms.
The ICO's new code is relevant to organisations that embrace the 'bring your own device' (BYOD) approach to mobile working. BYOD is where staff use their own smartphones or other mobile devices for work purposes.
The ICO said it is "good practice" for organisations to apply a "policy restricting the circumstances in which staff may hold information about customers, contacts, or other employees on their own devices or in private email accounts". It confirmed, though, that where organisations allow staff to store such information on their own devices, that data is potentially subject to disclosure when SARs are submitted.
"If you do permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it would be within the scope of a SAR you receive," the ICO said. "The purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data."
According to the ICO's own official statistics, mishandling of SARs is the number one data protection issue complained-about by the public. Last year, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals' rights to access their personal data held by organisations.
The ICO also used its revised code on SARs to confirm that organisations cannot ignore SARs submitted through social media channels. It said that organisations can steer people to submitting SARs through a particular communications channel, but "may not insist on the use of a particular means of delivery for a SAR".
"Individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites," the ICO said. "This might not be the most effective way of delivering the request in a form you will be able to process quickly and easily, but there is nothing to prevent it in principle. You should therefore assess the potential for SARs to be received via social-media channels and ensure that you take reasonable and proportionate steps to respond effectively to requests received in this way."
The ICO said, however, that organisations are entitled to ask requesters to confirm their identity and that they can, in some cases, respond to SARs submitted via social media using other communications channels.
"Because the requester must provide evidence of their identity and because you might require them to pay a fee, they will often have to supplement a SAR sent by social media with other forms of communication," the ICO said. "You may decline to use social media to supply information in response to a SAR if technological constraints make it impractical, or if information security considerations make it inappropriate to do so. In these circumstances you should ask for an alternative delivery address for the response."
The ICO's revised code of practice also, among other things, contains guidance on how organisations can deal with subject access requests where it would involve them disclosing other people’s information as well as information about the requester.
The General Data Protection Regulation (GDPR), which will apply from 25 May 2018, will require organisations to respond to SARs in a shorter timeframe than that which applies under the Data Protection Act at the moment.