New ICO subject access code of practice helps organisations give people control over their data
- GP surgery manager prosecuted for illegally accessing patients’ medical records
- ICO warns marketing rules must be kept to during lead up to Scottish referendum
- Temporary workers still require adequate data protection training, warns ICO
- Private investigators convicted of unlawfully obtaining personal information
- International enforcement agencies join forces to thwart caller identification spoofing
News release: 8 August 2013
The Information Commissioner’s Office (ICO) has today published new guidance for organisations to help them deal with requests from individuals for their data.
Under the Data Protection Act, anyone has the right to find out what information an organisation holds about them by making a subject access request. This right allows individuals to find out important information ranging from details recorded on their credit history to data included in their health record. Once received, an organisation normally has forty days to reply to the request.
During the last financial year the ICO handled over 6,000 complaints related to subject access requests, with over one in six of these complaints relating to money lenders, including credit reference agencies and banks.
The new guidance – which has been accredited by the Plain Language Commission - will help organisations handle subject access requests more efficiently, while supporting the public in taking control of their personal information.
Announcing the publication of the ICO’s new subject access code of practice the Information Commissioner, Christopher Graham, said:
“We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data. They can be particularly important when checking your credit rating or applying for a loan, but the ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.
“Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date.
“Our new subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.”
As part of the launch the ICO has published ten simple steps which organisations should consider when responding to subject access requests.
- Identify whether a request should be considered as a subject access request
- Make sure you have enough information to be sure of the requester’s identity
- If you need more information from the requester to find out what they want, then ask at an early stage
- If you’re charging a fee, ask for it promptly
- Check whether you have the information the requester wants
- Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
- But do consider whether the records contain information about other people
- Consider whether any of the exemptions apply
- If the information includes complex terms or codes, then make sure you explain them
- Provide the response in a permanent form, where appropriate.
The ICO will also be carrying out a ‘subject access request sweep’ of websites later in the year. The project will look at the information organisations in the public, private and third sector are providing to anyone who may want to make a subject access request, and will prompt a report that will be published in the new year.
For more information, see our subject access requests page.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. In Scotland, freedom of information is a devolved matter and Scottish public authorities are subject to the Freedom of Information (Scotland) Act 2002 which is regulated by the Office of the Scottish Information Commissioner in St Andrews.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070.