As Panopticon devotees will know, the early months of 2017 brought a flurry of judgments about subject access requests – most importantly, in the Dawson-Damer and Ittihadieh/Deer cases. The principles from those judgments have now been incorporated into a revised ICO Code of Practice on subject access requests, published last week. The revised Code is important not only because it reflects up-to-date caselaw, but also because it tells us how the ICO expects to see subject access requests dealt with in practice.
Here are some of the key revisions.
First, there is of course a more data controller-friendly perspective on the burden of compliance with a SAR: as the Court of Appeal has confirmed, data controllers are required to take reasonable and proportionate steps. But that does not mean they can merely assert disproportionate burden. The ICO expects this:
“When responding to SARs, we expect you to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.
In order to apply the exception, the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.”
Second, the ICO expects to see parties engage in productive dialogue about SARs:
“We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information.
If we receive a complaint about your handling of a subject access request, we may take into account your readiness to engage with the applicant and balance this against the benefit and importance of the information to them, as well as taking into account their level of co-operation with you in the course of the handling of a request.”
And when it comes to (sigh) repeated SARs:
“… in practice we would accept that you may attempt to negotiate with the requester to get them to restrict the scope of their SAR to the new or updated information; but if they insist upon a full response then you would need to supply all the information.”
Third, the requester’s purposes are irrelevant to your duties as a data controller – but (in the spirit of dialogue) they may help you ensure you find what they are really looking for.
Fourth, what about information contained on in archived/backup/deleted material? There is a lengthy and helpful discussion of these issues at pages 29-30 of the new Code. Here are some highlights:
“You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.
… to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR.
… The Commissioner does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management.”
Fifth, generally speaking, “we would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.”
Finally, as regards the ICO’s own powers to get involved in disputes about SARs, the ICO explains that it can serve an enforcement notice, but adds that:
“The Information Commissioner will not necessarily serve an enforcement notice simply because an organisation has failed to comply with the subject access provisions. Before serving a notice she has to consider whether the contravention has caused or is likely to cause any person damage or distress. She can serve a notice even though there has been no damage or distress but it must be reasonable, in all the circumstances, for her to do so. Shee will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access.”
So, requesters and data controllers: be alive to the legal principles, but be nice to each other too. Or at least pay attention to how the ICO expects you to behave when it comes to contentious SARs.
Robin Hopkins @hopkinsrobin