ICO publishes SAR guidance. New tools from the UK’s Information Commissioner’s Office: how to respond to subject access requests. (LONDON) The UK ICO has come through yet again with some clear guidance as to how to apply the UK’s data protection laws in connection with requests by individuals for access to their personal data.
While we are waiting with bated breath for a final version of the new Data Protection Regulation (earlier posts here and here), it’s worth remembering that compliance with the existing regime is still vital – and any guidance from the ICO regarding the current statutory requirements is certainly worth noting. The Data Protection Act 1998 (Section 7) gives individuals the right to request disclosure of the information that an organization holds about them. (Other EU countries have similar access rights, as required by the current Data Protection Directive.)
The latest guidance from the ICO addresses the potentially daunting question of how to respond to such “subject access requests.” ICO to check out websites for adequate subject access request wording. Following a public consultation in December 2012 on a draft version, the Information Commissioner's Office (ICO) published its final Subject Access Code of Practice on 8 August 2013.
Like all other data protection laws in the EU, the Data Protection Act 1998 (DPA) includes the principle that anyone has the right to find out what information an organisation holds about them by making a ‘subject access request’ (SAR). But when faced with such a request, organisations often feel confused, daunted or even frustrated as to how to properly handle and respond to a SAR. How do we carry out a full search for all their personal data? How do we ensure that the privacy of others isn’t infringed when responding? There are on-going legal proceedings – don’t the discovery rules provide a more appropriate method of providing information? The code also includes ten simple steps to consider when responding to SARs:
Subject access requests: a checklist. Last week, the Information Commissioner's Office ("ICO") released a new code of practice to assist organisations faced with requests from individuals seeking to obtain their personal information.
As well as conferring rights on individuals, the Data Protection Act 1998 also places obligations on organisations when handling subject access requests. Organisations tasked with responding to subject access requests should align their processes with the recent ICO guidance and consider the following points in particular: Ascertain if the request for information is a subject access request i.e. is it in writing (this does not necessarily mean letter form and includes email and may even include requests made via social media) and in pursuit of the individual's personal data – personal data is that which can enable an individual to be identified e.g. bank account details, employment particulars etc. Confirm the requester's identity. New ICO Subject Access Code of Practice. The Information Commissioner’s Office (ICO) has today published new guidance for organisations to help them deal with requests from individuals for their data.
Under the Data Protection Act, anyone has the right to find out what information an organisation holds about them by making a subject access request. This right allows individuals to find out important information ranging from details recorded on their credit history to data included in their health record. Once received, an organisation normally has forty days to reply to the request. During the last financial year the ICO handled over 6,000 complaints related to subject access requests, with over one in six of these complaints relating to money lenders, including credit reference agencies and banks. The new guidance – which has been accredited by the Plain Language Commission - will help organisations handle subject access requests more efficiently, while supporting the public in taking control of their personal information. 1.