New subject access code published by ico

Yesterday I posted about a new and important High Court judgment on the application of the subject access regime. As it happens, yesterday was also the day on which the Information Commissioner published his new ‘Subject Access Code of Practice’. This is an important document which requires careful consideration by anyone working in the DPA field. Points which are particularly worthy of note include the following:

  • subject access a ‘fundamental right’ – The Commissioner identifies the data subject’s right to access his or her personal data as a ‘fundamental right’ (p. 7). However, interestingly the code does not examine in any detail why this is such an important right. Instead, it simply says: ‘Enabling individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is fundamental to good information-handling practice. The Data Protection Act 1998 (DPA) gives individuals the right to require you to do this.’  (p. 5). However, it is important that data controllers understand why the subject access right is such a fundamental right. The answer to this question lies very clearly in the recitals to the EU Directive from which the DPA is derived, Data Protection Directive 95/46/EC. Those recitals make clear that the underlying objective of the data protection regime is to ensure that personal data is handled in a way that properly protects the privacy of data subjects. The subject access regime is designed to support the privacy rights of individuals by ensuring that they are, in effect, able to monitor how data controllers are processing their data.


  • requests made by social media – applicants are entitled in principle to make subject access requests via the data controller’s Facebook page, its Twitter account or any other social media sites to which it subscribes, although the Commissioner accepts that this may not be the most effective way to deliver a request in a form which will enable the data controller to respond to it easily and quickly (p. 10).


  • a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly (p. 11).


  • purpose of the request not a relevant consideration at the stage when requests are being responded to – The Commissioner continues to take the position that an applicant’s purpose or motive in making a subject access request does not affect the request’s validity or the data controller’s duty to respond to it (p. 20). This is an important consideration because very often subject access requests are not made for the purpose of ensuring that a data controller is processing the data subject’s data in a manner which safeguards their privacy but rather in order to afford a data subject an advantage in litigation which they are conducting, usually against the data controller. It should be noted that the Commissioner’s position on this issue has yet to be tested by the High Court or any appellate court (cf. the Southern Pacific Personal Loans case I blogged about yesterday and compare the conclusion reached by the Court of Appeal in Abadir, which you can read about here). See further the discussion of the Commissioner’s enforcement powers below.


  • scope of the data controller’s search obligations – A key consideration for data controllers when they are responding to subject access requests is how far they have to go when searching their complex, multi-layered information systems for potentially relevant data. The Commissioner has now made clear that considerations of reasonableness and proportionality can properly come into play as and when a data controller is considering how to discharge its search obligations. Thus, the code states that, whilst there are ‘no express limits’ on the search obligation provided for under the DPA, data controllers are: ‘not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information’. That said, the code goes on to attenuate the effect of this conclusion by stating that: data controllers should still ‘be prepared to make extensive efforts to find and retrieve the requested information’; any decision as to the scope of the data controller’s search obligations should take into account the fundamental nature of the right afforded under s. 7 and, further, requests cannot be refused simply because they are ‘labour-intensive or inconvenient’ (p. 22). This analysis will give little comfort to small and medium sized businesses where wide-ranging subject access requests may have commercially crippling effects.


  • Commissioner’s enforcement functions – The code alludes to the Commissioner’s power to issue an enforcement notice in cases where a data controller has failed to comply with its obligations under the subject access provisions. It makes clear that: a notice will not necessarily be served ‘simply because an organisation has failed to comply with the subject access provisions’; the Commissioner will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress (as per the requirements of s. 40(2) DPA); whilst he can serve a notice in the absence of  damage or distress, ‘it must be reasonable, in all the circumstances, for him to do so’; and importantly ‘he will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access’ (p. 53).


  • Importantly, the code goes on to allude to the fact that, where an applicant seeks to enforce their subject access rights by going to the court under s. 7(9) DPA, the court may treat the application as an abuse of process if the request has been made against a backdrop of litigation and as a means of accessing information which ought properly to be dealt with through the disclosure process. However, somewhat unhelpfully the code is entirely unclear on whether the Commissioner would regard this as a relevant consideration in the context of the discharge of his statutory enforcement functions. Instead, it simply refers the reader back to the point made in chapter 9 of the code that request cannot be refused based on the purpose for which it was made (p. 59). Of course from the data controllers point of view, it would obviously be entirely unsatisfactory if there were to be an asymmetry in the enforcement regime, with a data subject being able to get a better result if they seek enforcement from the Commissioner under s. 40 as opposed to the result they would get if they went to court under s. 7(9). Query whether the Commissioner ought in the circumstances to be striving to achieve an approach to enforcement which is aligned with the approach adopted by the courts.

Anya Proops