ICO consults on right of access guidance

December 6, 2019

The ICO has issued a consultation on draft guidance on the right of access, closing on 12 February 2020.

The right of access (known as subject access) is a fundamental right under the GDPR as well as pre-dating that legislation. It allows individuals to find out what personal data is held about them and to obtain a copy of that data, as well as information about how their data is being processed. The information about how data is processed should largely correspond with the information that should be provided in a privacy notice anyway. This includes issues such as, for example, where the personal data was collected from and the existence of automated decision making.

The ICO published initial guidance in April 2018 but has now drafted more detailed guidance which explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers. It is aimed at data protection officers and those with specific data protection responsibilities in larger organisations. 

It covers recognition of subject access requests (SARs), making the point that there is nothing to prevent someone making a request via social media. The guidance also deals with issues relating to requests from third parties, including those with powers of attorney and requests made via third party portals.

The draft guidance also explores SARs from or about children and people with disabilities, as well as the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, and the exemptions that are most likely to apply in practice when handling a request. It also deals with how to deal with requests if you are a joint data controller or work with data processors. How you satisfy yourself about the identity of an applicant is also considered.

Information management systems should ease processing of SARs by enabling organisations to easily locate and extract personal data. Systems should also be designed to allow redaction of third party data where necessary. New systems should be designed with SARs in mind. Organisations also require robust records management policies, which again should be designed with SARs in mind.

The guidance covers the time limits for responding to SARs as well as how to respond, which information needs to be included and how to search records. It also covers how to provide the information to the individual, which can be verbally in certain circumstances, and what to do if the request is also a data portability request.

The ICO is consulting on the draft guidance to gather the views of stakeholders and the public. These views will inform the published version of the guidance by helping the ICO to understand the areas where organisations are seeking further clarity, in particular taking into account their experiences in dealing with subject access requests since May 2018, when the GDPR came into force.