Information Commissioner's Office
Subject access policy updated after court rulings on disproportionate effort
Blog posted by: Vivienne Adams, Senior Policy Officer, 05 July 2017.
As July arrives and brings with it summer (albeit a damp version of it here in Wilmslow so far), there are now fewer than 11 months until the arrival of the much-heralded GDPR.
As you can imagine, that means a busy time in the policy team, working on the guidance to help organisations understand the new law. But while there’s plenty of work still to do there, our work on guidance for the Data Protection Act (DPA) doesn’t stop.
The DPA is, after all, the current law. And as its interpretation is adapted and evolves through court decisions, so must our corresponding guidance.
The latest updates we’ve made to the Guide to data protection and also our CCTV and Subject access request (SAR) codes of practice are a case in point. Please see the appendix below for more details.
Earlier this year, two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford  EWCA Civ 121 – were published which were particularly notable for how they dealt with disproportionate effort around subject access requests.
Those judgments clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
That doesn’t mean organisations should try to avoid replying to subject access requests. The burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.
And even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way.
It’s another stage of the evolution of the law. If you want to keep up-to-date on future changes to guidance, it’s worth signing up to our e-newsletter, which provides monthly updates on all things information rights.
Details of changes to ICO guidance and codes of practice
Disproportionate effort and the handling of SARs
We have amended chapters 6 and 8 on the application of the disproportionate effort exception in s8(2) of the DPA: the extent of the duty to provide subject access, information contained in emails and supplying information in permanent form.
In chapters 5 and 6 we have highlighted to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs.
National scope of LPP exemption
We have also clarified in chapter 9 that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Court’s discretion under s7(9) DPA
We have amended chapters 9 and 11 to state the Court of Appeal’s view that the court has a wide discretion to order compliance with a SAR, and to include the factors it listed. The existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.
Other changes to the SAR code
We have also taken the opportunity to make other changes to the Subject access code of practice:
- In chapter 10 we have clarified, in order to avoid confusion, that the ICO is not the responsible regulator for legislation on access to pupils’ educational records.
- At the end of chapter 11 we have inserted a new paragraph stating the position on enforced subject access.
- Throughout the code, we have changed references to the gender of the Commissioner to the feminine.
We’ve amended section 5.2.3 of the CCTV code of practice to reflect the Court of Appeal’s judgments on the application of the disproportionate effort exception.
We’ve also amended the wording of sections 5, 6 and 7 to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.
Finally we’ve removed references to old cases, and updated old links.
We’ve amended the section “What if sending out copies of information will be expensive or time consuming?” to reflect the Court of Appeal’s judgments on the disproportionate effort exception.
We have also amended the section on exemptions: “Legal advice and proceedings” to state that the exemption applies where legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Vivienne Adams is a Senior Policy Officer in the ICO’s Policy and Engagement Department, working on information rights policies and providing advice and guidance to colleagues and stakeholders.
Latest News from
Information Commissioner's Office
ICO warns companies about the costly consequences of making nuisance calls21/08/2017 16:10:00
Companies carrying out direct marketing have been reminded that properly screening numbers against the Telephone Preference Service (TPS) register is much cheaper than a fine for making nuisance calls.
North London council fined after parking ticket system flaw leaves personal information at risk18/08/2017 11:10:00
Islington Council failed to keep up to 89,000 people’s information secure on its parking ticket system website.
Consent is not the ‘silver bullet’ for GDPR compliance17/08/2017 16:05:00
Blog posted by: Elizabeth Denham, Information Commissioner, 16 August 2017.
ICO warns NHS employees that unlawfully accessing patient records is an offence14/08/2017 13:10:00
The Information Commissioner’s Office (ICO) has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason.
Personal data belonging to up to 21,000 TalkTalk customers could have been used for scams and fraud11/08/2017 09:20:00
The Information Commissioner’s Office has fined TalkTalk Telecom Group PLC £100,000 after it failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters.