ICO issues new code of practice on subject access requests

August 9, 2013

The Information Commissioner’s Office has issued a new code of practice on subject access requests.

The watchdog said it had received more than 6,000 complaints in the last year alone about organisations’ handling of these requests.

The ICO said the new guidance, which can be viewed here, would help organisations make their request-handling more efficient as well help the public take control of their personal information.

The Information Commissioner, Christopher Graham, said: “We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data…..

“Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date.”

As well as publishing the code of practice, the watchdog has set out ten steps that organisations should consider when responding to subject access requests. They are:

“1. Identify whether a request should be considered as a subject access request.

2. Make sure you have enough information to be sure of the requester’s identity.

3. If you need more information from the requester to find out what they want, then ask at an early stage.

4. If you’re charging a fee, ask for it promptly.

5. Check whether you have the information the requester wants.

6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…

7. …But do consider whether the records contain information about other people.

8. Consider whether any of the exemptions apply.

9. If the information includes complex terms or codes, then make sure you explain them.

10. Provide the response in a permanent form, where appropriate.”

The ICO added that it would also be carrying out a ‘subject access request sweep’ of websites later in 2013.

“The project will look at the information organisations in the public, private and third sector are providing to anyone who may want to make a subject access request, and will prompt a report that will be published in the new year,” the ICO said.