On 9 June 2017 the ICO published their revised ICO Code of Practice on subject access requests (SARs), a request by an individual to see the personal data that an organisation holds about them. This revised Code is important because it tells us how the ICO expects to see SARs dealt with in practice.
Here are out top tips to guide you through dealing with a SAR.
- Engage with the requestor. Some requests may appear unclear or very broad but, if you can have an open conversation with the requester about the information they require, it is likely you can reduce the costs and effort incurred in searching for that information. It is worth noting that the ICO may take into account your readiness to engage with the requestor if it receives a complaint about how a SAR is handled. (If you don’t already, you may find it helpful to make a note of your contacts with SAR requesters).
- Think about the benefits the information could have to the requester when considering any difficulties you might have in complying with their request. Remember, the burden of proof is on you, as data controller, to show that you have taken all reasonable steps to comply with a SAR and weighing up the possible benefits to the requester will help to put ‘reasonable steps’ on your part into perspective.
- Always remember that the requester’s purposes are irrelevant to your duties as a data controller.
- You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up: “… to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR”. NB: The ICO does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management.
- Do not instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.
Finally, as regards the ICO’s own powers to get involved in disputes about SARs, the Code explains that: “The [ICO] will not necessarily serve an enforcement notice simply because an organisation has failed to comply with the subject access provisions. Before serving a notice [ICO] has to consider whether the contravention has caused or is likely to cause any person damage or distress. [The ICO] can serve a notice even though there has been no damage or distress but it must be reasonable, in all the circumstances … to do so. [The ICO] will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access.”
So, be aware of the legal principles, but be nice too!
This article is intended for informational purposes only, so please don’t rely on it as legal advice!