Last week, the Information Commissioner's Office (ICO) published a Code of Practice on how to deal with subject access requests - a topic many employers will no doubt be familiar with and often as a precursor to, or during, employment tribunal litigation.
Dealing with such requests can be time consuming and can often throw up concerns about what information should and should not be disclosed to an individual in response to their request. According to the ICO, during the last financial year, it handled over 6,000 complaints concerning the way subject access requests were handled by organisations. The overarching intention of the Code is to "help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect."
The ICO has a duty under the Data Protection Act to promote good practice and the Code therefore sets out practical guidance on various issues including:
- how to recognise a subject access request;
- what to do if you get a request and how to respond to the request;
- how to find and retrieve the relevant information;
- how to deal with requests involving other people's information;
- circumstances in which personal data is exempt from disclosure or may need to be redacted;
- the ICO's enforcement powers; and
- a ten step checklist to consider when handling a subject access request.
The Code is likely to be a welcome source of guidance if you do receive a subject access request. Whilst the Code provides advice on good practice, it does not have the force of law and the ICO cannot take enforcement action if there is a failure to adopt good practice or to act on the Code's recommendations unless that itself breaches the Data Protection Act.
Later this year, the ICO will be carrying out a "subject access request sweep" of websites with the intention of looking at the information that public, private and third sector organisations are providing to anyone who may want to make a subject access request. The ICO intends to publish a report on this issue in 2014.