Privacy & Information Security Law Blog

On December 13, 2012, the UK Information Commissioner’s Office (“ICO”) announced a consultation on a draft subject access code of practice (the “Code”). The Code is open for public comment until February 21, 2013.

Under the UK Data Protection Act 1998, individuals are entitled to access the personal data an organization processes about them, and know the purposes of the processing, whether the organization shares the personal data with any third parties and the source of the personal data. At present, many organizations fail to comply with their subject access obligations in the UK. Over the past fiscal year, the ICO dealt with nearly 6,000 complaints from individuals unhappy with the way organizations had responded to their subject access requests.

The draft Code sets forth best practice indicators that the ICO expects organizations to adopt, including:

• staff training, including refresher training;
• a dedicated data protection page on staff intranets, including details on subject access policies and procedures;
• the designation of specific individuals or teams responsible for responding to requests;
• a mechanism for escalating requests to management where the requestor is dissatisfied with the initial response;
• the presence of data protection experts (or “Information Champions”), particularly in larger organizations; and
• monitoring of compliance with access requests.

Announcing the consultation, ICO Deputy Commissioner and Director of Data Protection, David Smith, commented that “…subject access requests play an increasingly important role in helping us take control of our personal information,” and “they can also benefit organisations by highlighting inaccuracies in their records...”

The final version of the Code is due to be published in Spring 2013.