ICO backs midata approach for reducing burdens in handling subject access requests

Out-Law News | 13 Mar 2014 | 2:20 pm | 3 min. read

Giving customers secure access to the personal information businesses hold about them can help those businesses reduce the administration and costs associated with handling repeated requests for access to such data, the UK Information Commissioner's Office (ICO) has said.

The watchdog said that providing data to customers in online or electronic formats is one "effective mechanism" businesses can deploy for reducing the burdens associated with responding to subject access requests (SARs).

"[An indicator of good practice is when,] where appropriate, customers are able to access their personal information free of charge by using a secure website," the ICO said in an updated version of its code of practice on dealing with subject access requests (58-page / 1MB PDF). "This is good customer service and is likely to reduce the number of SARs the organisation has to deal with. If requested, personal information is supplied in a machine-readable and re-usable format."

The good practice identified by the ICO is broadly similar to the UK government-backed 'midata' scheme. The voluntary scheme requires signatories to provide consumers with access to their personal data in a "portable, electronic format". The 'consumer data' principles that midata adopters adhere to include making the data available in "an open standard format" that is "reusable" and "machine-readable" in as standard form as is possible across sectors.

Adherence to the midata principles may be mandated by the government in some sectors. It is currently undertaking a review of the adoption of the midata initiative and is due to report this month its progress and has said that the report would help guide it on whether to "require companies to release the data they hold on consumers".

The government has backstop powers, under the Enterprise and Regulatory Reform (ERR) Act, to force energy suppliers, mobile network operators and current account and credit card providers, or any other group of organisations, to provide customers with access to their electronically-held transaction data.

Businesses are already obliged to provide customers with access to their personal data under certain circumstances under the UK's Data Protection Act (DPA).

Under the DPA, organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request. In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

Last August the ICO issued a new code or practice for organisations on how to handle SARs. The watchdog has now updated its code to include new guidelines on how businesses should handle repeat or unreasonable requests from individuals for access to their personal data.

The new guidance explains that individuals have a right to submit as many SARs as they wish but that businesses are not obliged to comply with the requests made at "unreasonable intervals".

The ICO identified a number of factors that could help organisations identify whether a repeat SAR received has been submitted at a reasonable interval.

"[The DPA] says you should consider the following: The nature of the data – this could include considering whether it is particularly sensitive; the purposes of the processing – this could include whether the processing is likely to cause detriment (harm) to the requester; how often the data is altered – if information is unlikely to have changed between requests, you may decide that you need not respond to the same request twice," the code said.

Where organisations have collected new information on individuals or amended existing records since first responding to a SAR then they are obliged to respond in full to a subsequent SAR from that individual and "not merely supply information that is new or has been amended since the last request", the ICO said.

"In practice we would accept that you may attempt to negotiate with the requester to get them to restrict the scope of their SAR to the new or updated information; but if they insist upon a full response then you would need to supply all the information," it said.

The updated code has also clarified individuals' rights to inspect their "manual health records" free of charge in certain circumstances. The term relates to health records held in non-electronic form.

The new guidelines also explained how organisations should handle circumstances where they become aware that a person who has submitted a SAR has died before they have been able to respond to the request.

"If a requester dies before a response is provided but the data controller received the SAR when the individual was living, it must provide the response to the individual’s personal representatives," the ICO said. "As a matter of good customer service we suggest that it would be advisable for data controllers who are aware that the data subject has died and who know the identity of the personal representative(s) to check with them if they in fact still wish to receive the information, before sending it."