On 8 August 2013 the Information Commissioner’s Office published a new Subject Access Code of Practice. The 58 page guide offers a great deal of practical information concerning how to deal with requests.
It is comprehensive and commendably straightforward and, as such, it’s essential reading and reference for anyone who has to deal with subject access requests.
Introducing the Code the Information Commissioner, Christopher Graham, said:
We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data. They can be particularly important when checking your credit rating or applying for a loan, but the ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.
Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date
Our new subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.
The Code attempts to tackle the thorny question of whether there is an obligation to comply with a subject access request when the person making the request is contemplating or has already commenced legal proceedings. My view, based on my experience of the rules concerning disclosure of documents in civil proceedings is that making such a request with the express purpose of securing “back door disclosure” is an obvious and plainly unacceptable abuse of the process. Why have court rules concerning disclosure if they can effectively be disregarded by utilising the subject access procedure?
Unsurprisingly the Information Commissioner disagrees. According to the Code:
Where legal professional privilege cannot be claimed, you may not refuse to supply information in response to a SAR simply because
the information is requested in connection with actual or potential legal proceedings. The DPA contains no exemption for such information; indeed, it says the right of subject access overrides any other legal rule that limits disclosure. In addition, there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.
It has been suggested that case law provides authority for organisations to refuse to comply with a SAR where the requester is contemplating or has already begun legal proceedings. The Information Commissioner does not accept
this view, but he recognises that:
- – the courts have discretion as to whether or not to order compliance with a SAR; and
- – if a court believes that the disclosure of information in connection with legal proceedings should, more appropriately, be determined by the Civil Procedure Rules (the courts’ rules on disclosure), it may refuse to order personal data to be disclosed (see chapter 11).
Nevertheless, simply because a court may choose not to order the disclosure of an individual’s personal data does not mean that, in the absence of a relevant exemption, the DPA does not require you to disclose it. It simply means that the individual may not be able to enlist the court’s support to enforce his or her right.
My advice remains that any SAR made in connection with actual or contemplated proceedings should be politely declined. As is effectively acknowledged by the Information Commissioner a request may well be unenforceable in such circumstances and it should not be difficult to convince a judge that the real intention of such a request is to subvert the civil disclosure process.
The Commissioner’s Office has also published a simple 10 point ready reference for dealing with requests:
- 1. Identify whether a request should be considered as a subject access request
- 2. Make sure you have enough information to be sure of the requester’s identity
- 3. If you need more information from the requester to find out what they want, then ask at an early stage
- 4. If you’re charging a fee, ask for it promptly
- 5. Check whether you have the information the requester wants
- 6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
- 7. But do consider whether the records contain information about other people
- 8. Consider whether any of the exemptions apply
- 9. If the information includes complex terms or codes, then make sure you explain them
- 10. Provide the response in a permanent form, where appropriate.