The latest guidance published by the Information Commissioners Office (ICO), entitled ‘Subject Access Code of Practice’[1], seeks to clarify the compliance requirements of a data controller in relation to subject access requests (SAR). The Data Protection Act 1998 (DPA) requires personal data to be processed in accordance with the rights of data subjects. Subject access is one of those rights.

Many organisations are often unsure how to proceed following the receipt of a SAR from a data subject, with many concerns readily apparent. What information is the data subject entitled to receive? What should be done if the data includes information about other people? What data should be sent to the data subject if the data has been amended or added to following receipt of the SAR?

The code primarily seeks to clarify how to recognise a subject access request and to provide data controllers with practical advice about how to deal with, and respond to, such a request. The code also provides guidance on the limited circumstances under Schedule 7 of the DPA under which personal data is exempt from subject access.

The code is the Information Commissioner’s interpretation of good practice in order to comply with the DPA and does go beyond the strict requirements of the DPA. It is the DPA that dictates the obligations that organisations are required to comply with; the code is not mandatory and does not have force of law; although code compliance is likely to be seen as best practice and reduce the likelihood of the ICO taking any action.

Supplementary to the launch of the new code, the ICO has published[2] ten simple steps which organisations should consider when responding to SARs.

  1. Identify whether a request should be considered as a subject access request
  2. Make sure you have enough information to be sure of the requester’s identity
  3. If you need more information from the requester to find out what they want, then ask at an early stage
  4. If you’re charging a fee, ask for it promptly
  5. Check whether you have the information the requester wants
  6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
  7. But do consider whether the records contain information about other people
  8. Consider whether any of the exemptions apply
  9. If the information includes complex terms or codes, then make sure you explain them
  10. Provide the response in a permanent form, where appropriate.

The publication of the code also brings with it a warning to all organisations that operate websites. The ICO will be conducting what they term a ‘subject access sweep’ during the latter part of this year, with the results expected to be published during early 2014. The aim of the ‘sweep’ is to determine what information organisations are providing to anyone who may want to make a SAR. Organisations should therefore review any information contained on their website in relation to SARs (whether contained within the website privacy policy or elsewhere) to determine whether they are in compliance with the DPA; or whether any update may be required.

For further information on the above topic, please contact Roy Colaba on 0121 698 2200 or fill in our online enquiry form.




UK Top Tier Firm 2017 Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2011 Resolution Collaborative Family Lawyer The Law Society Accredited in Family Law Conveyancing Quality Scheme