Information Commissioner's Office
Subject access policy updated after court rulings on disproportionate effort
Blog posted by: Vivienne Adams, Senior Policy Officer, 05 July 2017.
As July arrives and brings with it summer (albeit a damp version of it here in Wilmslow so far), there are now fewer than 11 months until the arrival of the much-heralded GDPR.
As you can imagine, that means a busy time in the policy team, working on the guidance to help organisations understand the new law. But while there’s plenty of work still to do there, our work on guidance for the Data Protection Act (DPA) doesn’t stop.
The DPA is, after all, the current law. And as its interpretation is adapted and evolves through court decisions, so must our corresponding guidance.
The latest updates we’ve made to the Guide to data protection and also our CCTV and Subject access request (SAR) codes of practice are a case in point. Please see the appendix below for more details.
Earlier this year, two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford  EWCA Civ 121 – were published which were particularly notable for how they dealt with disproportionate effort around subject access requests.
Those judgments clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
That doesn’t mean organisations should try to avoid replying to subject access requests. The burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.
And even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way.
It’s another stage of the evolution of the law. If you want to keep up-to-date on future changes to guidance, it’s worth signing up to our e-newsletter, which provides monthly updates on all things information rights.
Details of changes to ICO guidance and codes of practice
Disproportionate effort and the handling of SARs
We have amended chapters 6 and 8 on the application of the disproportionate effort exception in s8(2) of the DPA: the extent of the duty to provide subject access, information contained in emails and supplying information in permanent form.
In chapters 5 and 6 we have highlighted to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs.
National scope of LPP exemption
We have also clarified in chapter 9 that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Court’s discretion under s7(9) DPA
We have amended chapters 9 and 11 to state the Court of Appeal’s view that the court has a wide discretion to order compliance with a SAR, and to include the factors it listed. The existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.
Other changes to the SAR code
We have also taken the opportunity to make other changes to the Subject access code of practice:
- In chapter 10 we have clarified, in order to avoid confusion, that the ICO is not the responsible regulator for legislation on access to pupils’ educational records.
- At the end of chapter 11 we have inserted a new paragraph stating the position on enforced subject access.
- Throughout the code, we have changed references to the gender of the Commissioner to the feminine.
We’ve amended section 5.2.3 of the CCTV code of practice to reflect the Court of Appeal’s judgments on the application of the disproportionate effort exception.
We’ve also amended the wording of sections 5, 6 and 7 to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.
Finally we’ve removed references to old cases, and updated old links.
We’ve amended the section “What if sending out copies of information will be expensive or time consuming?” to reflect the Court of Appeal’s judgments on the disproportionate effort exception.
We have also amended the section on exemptions: “Legal advice and proceedings” to state that the exemption applies where legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Vivienne Adams is a Senior Policy Officer in the ICO’s Policy and Engagement Department, working on information rights policies and providing advice and guidance to colleagues and stakeholders.
Latest News from
Information Commissioner's Office
Liverpool-based company responsible for nuisance automated calls fined £70,00016/10/2017 12:20:00
A Liverpool firm which made more than 100,000 nuisance calls has been fined £70,000 by the Information Commissioner’s Office (ICO).
Bradford-based bank and London advertising firm fined over illegal marketing11/10/2017 09:10:00
A bank is among the latest firms to be fined by the Information Commissioner’s Office (ICO) for sending illegal marketing texts and emails.
ICO fee and registration changes next year06/10/2017 10:20:00
As we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.
Statement on Yahoo! cyber attack of August 201305/10/2017 11:10:00
Statement given yesterday by ICO on Yahoo! cyber attack of August 2013.