New Subject Access Request guidance issued
19 July 2017 #Data Protection
The Information Commissioner’s Office (ICO) has updated its guidance to its code of practice on subject access requests (SARs) under the Data Protection Act to reflect recent developments in case law.
Disproportionate Effort Exemption
The ICO expects data controllers to:
- Rely on the “Disproportionate Effort” exemption only in exceptional cases (for example, where supplying a copy of the data results in so much additional work or expense that this outweighs the right of access);
- Evaluate the particular circumstances of each request, and balance any difficulties in complying with the request against the benefits the information might bring to the data subject; and
- Actively engage with the applicant about what information they require (in any event this could reduce the expense/effort required by the data controller to comply).
Purpose of a SAR
The code of practice confirms that the requester’s purposes in making a SAR (including as a precursor for any potential legal proceedings) are irrelevant.
The ICO confirms that while its enforcement powers include serving an enforcement notice, it’s unlikely such a step would be taken unless the non-compliance is likely to cause damage or distress, or is otherwise reasonable under all the circumstances.
The code confirms that generally, the ICO would not expect staff to be instructed to search their private emails or personal devices in response to a SAR, unless the data controller has a good reason to believe they are holding relevant personal data.
Clarkslegal are currently hosting a ‘Getting to Grips with Data Protection’ webinar series. On 24th July, we’ll be covering the upcoming changes from the new EU General Data Protection Regulation (signup is free and can be found here). The third webinar in the series will take place in September and will cover responding to subject access requests.
Be the first to comment on this blog.