By Vivienne Adams, Senior Policy Officer.
As July arrives and brings with it summer (albeit a damp version of it here in Wilmslow so far), there are now fewer than 11 months until the arrival of the much-heralded GDPR.
As you can imagine, that means a busy time in the policy team, working on the guidance to help organisations understand the new law. But while there’s plenty of work still to do there, our work on guidance for the Data Protection Act (DPA) doesn’t stop.
The DPA is, after all, the current law. And as its interpretation is adapted and evolves through court decisions, so must our corresponding guidance.
The latest updates we’ve made to the Guide to data protection and also our CCTV and Subject access request (SAR) codes of practice are a case in point. Please see the appendix below for more details.
Earlier this year, two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford  EWCA Civ 121 – were published which were particularly notable for how they dealt with disproportionate effort around subject access requests.
Those judgments clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
That doesn’t mean organisations should try to avoid replying to subject access requests. The burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.
And even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way.
It’s another stage of the evolution of the law. If you want to keep up-to-date on future changes to guidance, it’s worth signing up to our e-newsletter, which provides monthly updates on all things information rights.
Details of changes to ICO guidance and codes of practice
Subject access code of practice
Disproportionate effort and the handling of SARs
We have amended chapters 6 and 8 on the application of the disproportionate effort exception in s8(2) of the DPA: the extent of the duty to provide subject access, information contained in emails and supplying information in permanent form.
In chapters 5 and 6 we have highlighted to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs.
National scope of LPP exemption
We have also clarified in chapter 9 that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Court’s discretion under s7(9) DPA
We have amended chapters 9 and 11 to state the Court of Appeal’s view that the court has a wide discretion to order compliance with a SAR, and to include the factors it listed. The existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.
Other changes to the SAR code
We have also taken the opportunity to make other changes to the Subject access code of practice:
- In chapter 10 we have clarified, in order to avoid confusion, that the ICO is not the responsible regulator for legislation on access to pupils’ educational records.
- At the end of chapter 11 we have inserted a new paragraph stating the position on enforced subject access.
- Throughout the code, we have changed references to the gender of the Commissioner to the feminine.
CCTV code of practice
We’ve amended section 5.2.3 of the CCTV code of practice to reflect the Court of Appeal’s judgments on the application of the disproportionate effort exception.
We’ve also amended the wording of sections 5, 6 and 7 to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.
Finally we’ve removed references to old cases, and updated old links.
Guide to data protection
We’ve amended the section “What if sending out copies of information will be expensive or time consuming?” to reflect the Court of Appeal’s judgments on the disproportionate effort exception.
We have also amended the section on exemptions: “Legal advice and proceedings” to state that the exemption applies where legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.
Vivienne Adams is a Senior Policy Officer in the ICO’s Policy and Engagement Department, working on information rights policies and providing advice and guidance to colleagues and stakeholders.