< Back

Share |

The ICO's Subject Access Code of practice

November 2013

The right to find out what information an organisation holds about you is one of the cornerstones of European data protection law.  This right is exercised by individuals not only for this basic purpose but also as a litigation tool. In extreme cases, the subject access right is even used just to be a nuisance.  Organisations can find themselves drowning under the weight of subject access requests (SARs) if they are not adequately prepared. 

Pen tipThe Information Commissioner's Office (ICO) published a code of practice (Code) in August 2013, advising organisations on how to deal with SARs and suggesting a ten step checklist approach.  The checklist advises organisations to:

  • identify whether a request should be considered as a SAR;
  • make sure you have enough information to be sure of the requester's identity;
  • if you need more information from the requester to find out what they want, then ask at an early stage;
  • if you're charging a fee, ask for it promptly;
  • check whether you have the information the requester wants;
  • don't be tempted to make changes to the records even if they're inaccurate or embarrassing…
  • do consider whether the records contain information about other people;
  • consider whether any of the exemptions apply;
  • if the information includes complex terms or codes, make sure you explain them;
  • provide the response in a permanent form where appropriate.

Much of the Code concentrates on providing plain language advice and reminders about the obligations to comply with SARs.  The Code does, however, address some of the issues that commonly cause difficulties for organisations and also attempts to answer some of the questions organisations might have when deciding how to respond to a SAR.

SARs made in connection with litigation

However annoying it may be to have to deal with a SAR or multiple SARs which are being made in connection with litigation, the ICO does not consider the data subject's purpose in making a SAR as relevant to the obligation to respond to it. This means that even if the SAR is made purely in connection with litigation rather than to protect the individual's privacy, it must be treated in the same way as any other request by the data subject.

On the other hand, where an applicant applies to the courts to enforce subject access rights, the courts may treat the application as an abuse of process if the request was made primarily as a litigation tool rather than to protect privacy.

Use of social media to make a SAR

An interesting point to note is that SARs may be made using the data controller's social media pages although the ICO does not particularly recommend this.  The Code also suggests that while there is no legal obligation to respond to oral requests, provided the identity of the caller has been verified, it might be reasonable to respond or at least to explain how to make a valid SAR.

Multiple SARs

JusticeThe Code discusses how to deal with multiple SARs.  It is clear that while there are no express limits on search obligations under a SAR, data controllers are not required to do things which would be unreasonable or disproportionate to the importance of providing subject access to that information. Nonetheless, the data controller must be prepared to make "extensive efforts to find and retrieve the requested information" bearing in mind the fundamental nature of the subject access right.  The ICO goes on to say that although all SARs must be responded to, the ICO will take into account high volume requests when considering whether or not to respond to a complaint about late action or to take enforcement action.

How hard to search

Guidance is given on the lengths to which to go to retrieve all personal data stored.  For example, while an organisation should be expected to provide archived personal data in response to a SAR, it would not be expected to use extreme measures to recover deleted data previously held in electronic form.  There is no expectation that organisations should reconstitute deleted information. 

The "disproportionate effort exception"

The guidance also deals with the "disproportionate effort" exception in s8(2) of the Data Protection Act 1998, which states that there is no obligation to supply the requester with a copy of relevant information in permanent form where the requester agrees to another arrangement or where the supply of a copy is impossible or would involve disproportionate effort.  The ICO recognises that the lack of what constitutes disproportionate effort has caused considerable confusion and stresses "you should rely on the disproportionate effort exception only in the most exceptional of cases…even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you must comply with the request in some other way".

Enforcement notices

BookClarification is given on the issue of enforcement notices.  The ICO will not necessarily serve an enforcement notice where an organisation has failed to comply with a SAR but will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress. The ICO can issue an enforcement notice where there is no such result but it must be reasonable in all circumstances to do so and organisations will not be required to take unreasonable or disproportionate steps to comply with the law.


The Code provides organisations with a considerable amount of clear information about their obligations in relation to SARs as well as sensible suggestions to make the process as painless as possible, for example by:

  • carefully logging receipt of SARs and updating the log to monitor progress;
  • keeping registers and indexes of records and metadata to make it easier to locate requested data; and
  • keeping copies of disclosure bundles showing any redactions and the reasons behind them for reference. 

Ambiguities may still remain in the areas where the data controller or indeed the ICO is required to exercise a degree of discretion but there are no real surprises in the views taken by the ICO.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Book pages
Debbie Heywood

Debbie Heywood      

Debbie looks at the ICO's recommendations for dealing with subject access requests.

"The Code makes it clear that while there are no express limits on search obligations under a SAR, data controllers are not required to do things which would be unreasonable or disproportionate to the importance of providing subject access to that information."