New ICO Subject Access Code of Practice

August 7, 2013

Under the Data Protection Act 1998, anyone has the right to find out what information an organisation holds about them by making a subject access request. This right allows individuals to find out important information ranging from details recorded on their credit history to data included in their health record. Once received, an organisation normally has 40 days to reply to the request.

During the last financial year, the ICO handled over 6,000 complaints related to subject access requests, with over one in six of these complaints relating to money lenders, including credit reference agencies and banks.

The new guidance – which has been accredited by the Plain Language Commission – will help organisations handle subject access requests more efficiently, while supporting the public in taking control of their personal information.

Announcing the publication of the ICO’s new Subject Access Code of Practice the Information Commissioner, Christopher Graham, said:

‘We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data. They can be particularly important when checking your credit rating or applying for a loan, but the ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.

Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date.

Our new Subject Access Code of Practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.’

As part of the launch the ICO has published ten simple steps which organisations should consider when responding to subject access requests.

1. Identify whether a request should be considered as a subject access request

2. Make sure you have enough information to be sure of the requester’s identity

3. If you need more information from the requester to find out what they want, then ask at an early stage

4. If you’re charging a fee, ask for it promptly

5. Check whether you have the information the requester wants

6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…

7. …But do consider whether the records contain information about other people

8. Consider whether any of the exemptions apply

9. If the information includes complex terms or codes, then make sure you explain them

10. Provide the response in a permanent form, where appropriate

The ICO will also be carrying out a ‘subject access request sweep’ of web sites later in the year. The project will look at the information organisations in the public, private and third sector are providing to anyone who may want to make a subject access request, and will prompt a report that will be published in the new year.