Data protection: Help with subject access requests

The Information Commissioner’s Office (ICO) has published a subject access code of practice to help guide data controllers when dealing with subject access requests. This is where an employee requests access to personal data held by their employer.

The Code includes guidance on:

• how to recognise a subject access request and offers practical advice on how to deal with, and respond to, such a request;
• how to deal with subject access requests involving third parties’ information; and
• the “disproportionate effort” exception to the obligation to provide information in a permanent form.

The ICO has stated that the code “will help organisations handle subject access requests more efficiently, while supporting the public in taking control of their personal information”.

You can access the Subject access code of practice and the Subject access request checklist here.  The checklist helpfully sets out the ten steps organisations should take when dealing with a subject access request.