New UK ICO Subject Access Code of Practice

The UK Information Commissioner's Office has published new guidance on the rights of individuals to access personal data that is held by companies about them. The guidance clarifies what companies must do if they receive a request from an individual to access his or her information in order to comply with duties as a data controller under the UK Data Protection Act 1998. In most cases a company must respond promptly to a request, and in any case within 40 days of receipt. The guidance also covers exemptions from the duty to comply with a subject access request and special cases such as credit files and health records. On publication of the guidance, the ICO stated that it had received over 6000 complaints relating to subject access over the last year, one in six of which related to money lenders. The ICO also announced that it will be carrying out a "subject access request sweep" of websites which will look at the information companies provide to anyone who might want to make a subject access request. The ICO intends to report its findings in early 2014.

TIP: Companies that hold personal data and are subject to UK law should use the ICO guidance and checklist to help them understand their obligations to provide subject access to personal data and help them follow good practice when responding to such requests. In anticipation of the website sweep, companies may also want to consider providing information on how to make a subject access request on their website, if they do not do so already.

This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.