Latest news
- Agreements conditional on superior landlord's consent
- Third party harassment provisions to be scrapped
- Retailers beware pricing pitfalls
- ECJ rules on holiday carry over following sick leave
- Front of pack nutrition labelling: Consultation published
- FCPA compliance alone is not sufficient
See more Press releases
RSS news feeds
Home | News & events | Legal updates | Subject access requests: new sector focus by ICO
Subject access requests: new sector focus by ICO
20 February 2012
The health, credit and finance sectors are to be the focus of the Information Commissioner’s Office (“ICO”) attention over the coming year.
Complaints received by the ICO, responsible for enforcing the Data Protection Act 1998 (“DPA”) and Freedom of Information Act 2000, have highlighted that these sectors are failing to handle subject access requests (“SAR”) adequately. Other priority sectors identified by the ICO include criminal justice, internet and mobile services and information security.
What is a Subject Access Request?
A SAR allows an individual to request to see a copy of the information that an organisation, such as their employer, holds about them. Requests can be extremely detailed or very brief; there is no set form and this can lead to SARs being overlooked on receipt by an employer.
A SAR entitles individuals to be told whether any of their personal data is being processed and if so to receive in a permanent and intelligible form:
- a description of the data;
- the reasons why it is being processed; and
- whether it has or will be provided to any other person or organisation.
In addition individuals are entitled to receive a copy of the data and any available details of its source.
If an individual’s personal data is automatically processed i.e. to assess performance or absence levels, they have the right to be told of the logic involved in any decision taken that would affect them, where the results of the processing have or are likely to form the sole basis of the decision.
What do we need to do?
A SAR must be complied with within 40 calendar days and employers must ensure that an adequate search for data is carried out. An employer need only conduct a search which is proportionate to the request in terms of expense and difficulty. However, before complying an employer can request additional information from the individual to establish their identity and to locate the data requested as well as an administration fee of up to £10.
The response to an SAR should be detailed (but employers need to be aware of the need to blank out any third party’s personal data which might be inadvertently disclosed), clearly explain why certain types of data have been included and the reason why any data has been withheld. An explanation of the search conducted should also be provided and this should be sufficient for the individual to ascertain whether the employer has complied.
If an employer has a clear data protection policy in place setting out how personal data is processed and stored within its organisation this will assist greatly in compiling a response to a SAR.
Individuals who are involved in litigation against their employer sometimes use SARs as a means of ‘fishing’ for information they think may help their case or simply causing an administrative headache for the employer. Although this is not the correct purpose of SARs and it may allow individuals to circumnavigate the normal litigation disclosure process, an employer can not refuse a SAR on this basis – however frustrating that may be.
What are the consequences?
The consequences for failing to comply with a SAR can be significant. The ICO can assess whether the SAR has been lawfully complied with and serve notice on an employer requiring it to provide the data if it considers this has not been done properly (or at all). Individual’s can also apply to the courts for an order for compliance. Should a SAR not be complied with an individual will have a claim for damages and potentially compensation for distress under the DPA.
An individual has further statutory remedies available should the data provided as part of SAR be inaccurate or show additional breaches of the DPA. These include a limited right to prevent data processing that is like to cause damage or distress and a right to rectify, block, erase or destroy inaccurate data.
What about the future?
With a growing understanding amongst individuals of their data protection rights employers, particularly in the sectors identified by the ICO as priority areas, should be ensuring that:
- they are processing data in accordance with the DPA (it may be appropriate to carry out a data protection audit to ascertain this);
- have a comprehensive data protection policy in place; and
- have provided training on it for employees including, in particular, how to recognise and respond to a SAR.
It maybe tempting in the current climate to allow compliance with the DPA to slide, particularly when staffing levels and training budgets are being reduced. However, in view of the ICO’s high level Information Rights Strategy published at the end of last year, which sets out how it will be seeking to exercise its enforcement powers, it would be inadvisable to do so.
This year looks to be a significant one for data protection compliance; particularly as European Commission has recently published its proposals for reforming the approach to data protection across the EC. Please see our article on the Overhaul of European Data Protection Law backed by Powers to Impose Substantial Fines for further information on the proposed reforms.
For further information about DPA compliance and dealing with SARs please contact your usual Shoosmiths advisor.
© Shoosmiths. This page is for general information: it is not legal advice. Please read our full terms and conditions for details of the disclaimers and exclusions which apply.
Search the site
Enter the keywords below to search:
Get in touch
Pamela Morris
Solicitor
T: 03700 86 6756
I: +44 (0)1489 61 6756
E: pamela.morris@shoosmiths.co.uk