The Information Commissioner’s Office (ICO) has updated its guidance to its code of practice on subject access requests (SARs) under the Data Protection Act to reflect recent developments in case law.
Disproportionate Effort Exemption
The ICO expects data controllers to:
Purpose of a SAR
The code of practice confirms that the requester’s purposes in making a SAR (including as a precursor for any potential legal proceedings) are irrelevant.
The ICO confirms that while its enforcement powers include serving an enforcement notice, it’s unlikely such a step would be taken unless the non-compliance is likely to cause damage or distress, or is otherwise reasonable under all the circumstances.
The code confirms that generally, the ICO would not expect staff to be instructed to search their private emails or personal devices in response to a SAR, unless the data controller has a good reason to believe they are holding relevant personal data.
Clarkslegal are currently hosting a ‘Getting to Grips with Data Protection’ webinar series. On 24th July, we’ll be covering the upcoming changes from the new EU General Data Protection Regulation (signup is free and can be found here). The third webinar in the series will take place in September and will cover responding to subject access requests.