Following a public consultation in December 2012 on a draft version, the Information Commissioner's Office (ICO) published its final Subject Access Code of Practice on 8 August 2013.
Like all other data protection laws in the EU, the Data Protection Act 1998 (DPA) includes the principle that anyone has the right to find out what information an organisation holds about them by making a 'subject access request' (SAR). But when faced with such a request, organisations often feel confused, daunted or even frustrated as to how to properly handle and respond to a SAR. How do we carry out a full search for all their personal data? How do we ensure that the privacy of others isn't infringed when responding? There are on-going legal proceedings - don't the discovery rules provide a more appropriate method of providing information?
So, the ICO's code of practice aims to assist organisations in the public, private and non-profit sector handle SARs and provides practical guidance on the subject - from how to recognise a SAR to how to actually deal with and respond to such requests. The code explains the circumstances in which organisations can refuse to provide all or some of the information requested, as per the 'exemptions' from the duty to comply with a SAR set out in Schedule 7 of the DPA.
The code also includes ten simple steps to consider when responding to SARs:
Identify whether a request should be considered as a SAR Make sure you have enough information to be sure of the requester's identity If you need more information from the requester to find out what they want, then ask at an early...