Subject Access Requests: ICO Consultation

December 13, 2012

The ICO has launched a consultation on a new draft code which aims to help organisations handle subject access requests, while supporting the public in taking control of their personal information.

Under the Data Protection Act 1998, anyone has the right to find out what information an organisation holds about them by making a subject access request. Once received, an organisation normally has 40 days to reply to the request.

During the last financial year, the ICO handled nearly 6,000 complaints from individuals unhappy that organisations were not complying with the law by allowing them to view their file – more than any other type of complaint. The final version of the code will aim to clear up any confusion, by clearly and simply explaining an organisation’s legal responsibilities and individuals’ rights under the Act.

Announcing the start of the ICO’s consultation, David Smith, Deputy Commissioner and Director of Data Protection, said:

‘At a time when organisations are collecting more and more of information about us, whether online or offline, subject access requests play an increasingly important role in helping us take control of our personal information. They can also benefit organisations by highlighting inaccuracies in their records and giving them the opportunity to update the information they keep about us. We have published the draft subject access code on our web site to provide an early indication of what our guidance will look like. We would now like to hear from individuals and organisations who have experience with handling or making subject access requests to see where they believe the draft code could be improved. We will then publish a final version of the code in Spring 2013.’

Further information is available on the ICO’s consultation page. The closing date for this consultation is 21 February 2013.