Information Commissioner's Office
Subject access policy updated after court rulings on disproportionate effort
Blog posted by: Vivienne Adams, Senior Policy Officer, 05 July 2017.
As July arrives and brings with it summer (albeit a damp version of it here in Wilmslow so far), there are now fewer than 11 months until the arrival of the much-heralded GDPR.
As you can imagine, that means a busy time in the policy team, working on the guidance to help organisations understand the new law. But while there’s plenty of work still to do there, our work on guidance for the Data Protection Act (DPA) doesn’t stop.
The DPA is, after all, the current law. And as its interpretation is adapted and evolves through court decisions, so must our corresponding guidance.
The latest updates we’ve made to the Guide to data protection and also our CCTV and Subject access request (SAR) codes of practice are a case in point. Please see the appendix below for more details.
Earlier this year, two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford  EWCA Civ 121 – were published which were particularly notable for how they dealt with disproportionate effort around subject access requests.
Those judgments clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
That doesn’t mean organisations should try to avoid replying to subject access requests. The burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.
And even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way.
It’s another stage of the evolution of the law. If you want to keep up-to-date on future changes to guidance, it’s worth signing up to our e-newsletter, which provides monthly updates on all things information rights.
Details of changes to ICO guidance and codes of practice
Disproportionate effort and the handling of SARs
We have amended chapters 6 and 8 on the application of the disproportionate effort exception in s8(2) of the DPA: the extent of the duty to provide subject access, information contained in emails and supplying information in permanent form.
In chapters 5 and 6 we have highlighted to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs.
National scope of LPP exemption
We have also clarified in chapter 9 that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Court’s discretion under s7(9) DPA
We have amended chapters 9 and 11 to state the Court of Appeal’s view that the court has a wide discretion to order compliance with a SAR, and to include the factors it listed. The existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.
Other changes to the SAR code
We have also taken the opportunity to make other changes to the Subject access code of practice:
- In chapter 10 we have clarified, in order to avoid confusion, that the ICO is not the responsible regulator for legislation on access to pupils’ educational records.
- At the end of chapter 11 we have inserted a new paragraph stating the position on enforced subject access.
- Throughout the code, we have changed references to the gender of the Commissioner to the feminine.
We’ve amended section 5.2.3 of the CCTV code of practice to reflect the Court of Appeal’s judgments on the application of the disproportionate effort exception.
We’ve also amended the wording of sections 5, 6 and 7 to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.
Finally we’ve removed references to old cases, and updated old links.
We’ve amended the section “What if sending out copies of information will be expensive or time consuming?” to reflect the Court of Appeal’s judgments on the disproportionate effort exception.
We have also amended the section on exemptions: “Legal advice and proceedings” to state that the exemption applies where legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Vivienne Adams is a Senior Policy Officer in the ICO’s Policy and Engagement Department, working on information rights policies and providing advice and guidance to colleagues and stakeholders.
Latest News from
Information Commissioner's Office
Guilty verdicts in trial against a company and rogue private investigators11/12/2017 10:05:00
A firm of loss adjusters has been found guilty of unlawfully disclosing personal data illegally obtained by senior members of their staff and private investigators.
ICO offers more support to SMEs ahead of Small Business Saturday01/12/2017 15:13:00
The Information Commissioner’s Office (ICO) is supporting Small Business Saturday by providing a range of dedicated products to help SMEs prepare for new data protection laws.
Nuisance call and spam text firms hit with £2m in fines by the ICO this year27/11/2017 10:10:00
A London firm behind over 156,000 spam texts has been fined £45,000 by the Information Commissioner’s Office (ICO).
The 12 ways that Christmas shoppers can keep children and data safe when buying smart toys and devices24/11/2017 11:05:00
In an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.