11 October 2013 #Employment
In March we blogged that the ICO had launched a consultation asking for feedback on a new code of practice for handling data subject access requests under the Data Protection Act 1998.
The ICO received 86 responses in total and the new code was published in August this year.
The ICO did make some changes to the code based on the responses it received. For example, the code now includes sections on how to deal with requests that are made via social media and how to deal with bulk requests.
However, the code still fails to address significant issues such as how to deal with requests which, from the outset, are likely to take longer than 40 days to comply with. The code simply re-states that “provided that you deal with the request in your normal course of business, without reasonable delay, and within the 40 day period you are likely to comply with the duty to comply promptly”.
The code also sheds no light on how extensive the search for data must be. In fact, it is quite confusing. On the one hand it states that an organisation should be prepared to make extensive efforts to find and retrieve the requested information and that the right of subject access is fundamental to data protection. However, it then says that organisations are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information.
Whilst it is useful to consolidate several guidance documents into one code, the ICO have missed an opportunity here to address more significant matters and to provide much needed guidance to organisations struggling to deal with these requests.
The ICO have confirmed that it intends to carry out a ‘subject access request sweep’ of websites later in the year. This will involve looking at the information organisations in the public, private and third sector are providing to anyone who may want to make a subject access request. This project will prompt a report that will be published in the new year.