The Information Commissioner’s Office has updated its Subject Access Code of Practice to reflect two recent Court of Appeal judgements which examined the obligations to comply with a subject access request.
The Data Protection Act 1998 (DPA) gives individuals a right to access information relating to their personal data held by a data controller (which would include their employer), as well as a right to receive a copy of the data in permanent form. This is done by making a subject access request (SAR)
The Information Commissioner’s Office (ICO) has published and updated its Subject Access Code of Practice on dealing with SARs, following the recent judgements in Dawson-Damer and others v Taylor Wessing LLP and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and others.
The updated Code can be found here. [https://ico.org.uk/media/for-organisations/documents/2014223/subject-access-code-of-practice.pdf]. The updates focus on two main areas: the “disproportionate effort” exception to complying with a SAR, and SARs made for “collateral” purposes.
“Disproportionate effort” exception
The DPA provides an exception to supplying copies of information in a permanent form if “the supply of such a copy is not possible or would involve disproportionate effort”.
The Code of Practice previously suggested that this exception should only be relied on in “the most exceptional of cases” and that it only applied to the process of supplying the information. However, following the decisions in Dawson-Damer and Ittihadieh, the Code has removed the reference to exceptional cases and states that the concept of “disproportionate effort” applies to the process of complying with the request, including any difficulties encountered in finding the requested information, as well as supplying it.
The Code has also given some clarity as to what disproportionate effort means, stating that consideration should be given to whether supplying the information in permanent form would result in “so much work or expense as to outweigh the requester’s right of access to their personal data.”
However, the Code states that this exception cannot be used to justify a blanket refusal of a SAR and a data controller should instead evaluate the particular circumstance of each request. Controllers must be able to demonstrate that they have taken reasonable steps to comply with a SAR and that they have engaged in an open conversation with the requester. In addition, even if this exception can be relied on, an employer still has an obligation to provide information about the data that is processed.
The Court of Appeal stated in Dawson-Damer that there is “nothing in the DPA which limits the purpose for which a data subject may request his data”. The Code has therefore clarified that it is irrelevant whether the requester has a collateral purpose in making a request i.e. they are contemplating legal proceedings.
However, in Ittihadieh the Court of Appeal concluded that, as a matter of principle, the court may take into account whether a requester lacks a legitimate reason for making a request. The court has a wide discretion to order compliance with a SAR and, consequently, the Code now sets out a range of factors the court may wish to consider.
Further changes ahead under the GDPR
The updated Code is helpful in summarising the outcome of recent case law, particularly in regards to when the “disproportionate effort” exception can be used. With the General Data Protection Regulation coming into force in May 2018 there will be further changes for employers to be aware of when responding to SARs.