New guidance leaves crucial data protection compliance questions unanswered

New guidance leaves crucial data protection compliance questions unanswered


Author: Jo Joyce

One of the best known rights enshrined in the Data Protection Act 1998 is the right of individuals to make data subject access requests (DSARs) of any organisation they believe is holding - described by the Act as processing - their personal data.

Compliance with data protection law in the UK is primarily the responsibility of the Information Commissioner, whose office has recently published a new Subject Access Code of Practice to help organisations comply with their obligations in respect of DSARs under the Act.

DSARs: The basics

An organisation on the receiving end of a DSAR has 40 days to respond to it and is obliged to provide the individual making the request with details about the information the organisation holds about them unless one of the limited exceptions set out in the Act applies.

In most cases, an individual making a DSAR will be entitled to: 

  • be told whether any of their personal data is being processed 
  • receive a description of the personal data, and the reasons for which it is being processed 
  • receive a copy of the personal data 
  • receive details of the source of the data (where this is known)

DSARs must be submitted in writing, but individuals do not have to (a) state that it is a data subject access request, (b) to refer to the Act or (c) to use a particular format to submit their request. Organisations do have the right to charge a fee for processing DSARs, but this is capped at £10. It is important to ensure that the identity of the individual making the request is confirmed before any information is supplied to them.

DSARs made under the Act are commonplace. These are often received from customers of a business and are usually easily dealt with by following a set procedure, provided, of course, that the person receiving the DSAR recognises it as being one. The Information Commissioner's Code of Practice provides some useful steps to follow to ensure DSARs are handled properly and makes some recommendations to help organisations establish procedures and employee training.

Modern guidance for a modern world?

Although the Code of Practice comes at the end of a significant period of consultation, much of its content is drawn from pre-existing guidance which has simply been consolidated into one document. The guidance does address a few new issues however, notably what organisations should do when they receive DSARs via social media.

It is more likely that a DSAR made via Facebook or Twitter (rather than submitted by email or letter) will be missed by an organisation, and it will be of some comfort to organisations with corporate social media accounts to know that the Information Commissioner recognises this.

The Information Commissioner has indicated that it will use its discretion in deciding whether to take enforcement action over DSARs that have been complied with in circumstances where it considers that it has genuinely been inadvertently missed because they were made via unusual route.

However, the Code of Practice makes clear that DSARs made via social media are perfectly valid and should be complied with. Organisations should therefore ensure that the possibility of receiving DSARs via social media is taken into account in their data protection policies and training.

The unfairness of uncertainty: Too much discretion or not enough from the Information Commissioner?

Whilst the Code of Practice will be a useful tool for anyone responsible for dealing with DSARs, it still leaves questions unanswered regarding the exercise of discretion by the Information Commissioner's Office and how that compares to the approach taken by the courts.

Although most DSARs are fairly straightforward, when received from an employee or a party with whom the organisation is in dispute, they can be incredibly burdensome, time consuming and expensive.

The Act does not require an individual to set out its reasons for making a DSAR, so there is nothing to prevent a current or former employee requesting details of all their personal data and, unless an exemption applies under the Act, the organisation would have to devote a huge number of man hours to collating, describing and providing the data to the individual in question.

In addition, DSARs are becoming increasingly common during employment proceedings and as a way of circumventing the normal disclosure process in litigation.

Receiving a contentious DSAR at a time when other proceedings are ongoing or being contemplated is often a major source of confusion for organisations. In particular, the approach taken by the Information Commissioner in this context does not align with that followed by the courts and the Code of Practice offers little comfort in this respect.

In the event that an individual considers that an organisation has failed to comply with his DSAR, they have the option to seek redress from the courts or the Information Commissioner. Recent case law has indicated that where the court considers a DSAR is being used to obtain information that should properly come out in disclosure, the judge will refuse to order that the organisation complies with the DSAR.

However, the Code of Practice makes clear that the Information Commissioner will not adopt the same approach to the courts. On the contrary, the Information Commissioner has indicated that where his office receives a complaint regarding non-compliance with a DSAR, he will not take into account the fact that the DSAR in question is being used to fuel separate litigation, even though he does have discretion as to whether to investigate a complaint.

Concern over this disparity in the approaches of the courts and the Information Commissioner was raised by a number of organisations, including Shoosmiths, in their response to the consultation on the Code of Practice before it was finalised.

Although the Information Commissioner notes the differences in approach between his office and the courts in the Code of Practice, disappointingly there is no effort made to address this issue.

Organisations and their legal advisers faced with a DSAR in the midst of legal proceedings must therefore decide whether or not to comply, thus running the risk of a negative finding against them from the Information Commissioner if they refuse.

What should I do?

  • The publication of the Code of Practice is a good opportunity to check that existing policies and training are adequate to help you to respond to DSARs you may receive.
  • If you receive a DSAR via social media, treat it the way you would one that was received by post or email, but be sure to verify the identity of the individual making the request before you send them any information.
  • If you receive a DSAR from an individual with whom you are engaged in litigation, think carefully before refusing to comply and consider taking legal advice on the best course of action. If you do comply, make sure that you redact or withhold any information that is protected by legal privilege (created in contemplation of litigation or advice from lawyers).

Click here to read the new Subject Access Code of Practice

For further information, please contact [email protected] or [email protected]