We updated you in our March 2017 Newsletter Case update (2): Data protection – easy access on the case of Dawson-Damer v Taylor Wessing LLP which was favourable to individuals (in this case litigants) in obtaining information using a subject access request (SAR).
The Information Commissioner’s Office (ICO) has updated its:
These updates are to ensure that the above reflect the developments in case law as highlighted in our above case update and also in the Court of Appeal decision of Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others  which confirmed that there is no need to take a “no stone unturned” approach to ensure a search is reasonable and proportionate as required under the Data Protection Act.
The most significant changes focus on the disproportionate effort exemption to compliance with SARs and on those SARs made for collateral purposes.
The section of the Code on ‘Finding and retrieving the relevant information’ now notes that the Data Protection Act places a “high expectation“ on providing information in response to a SAR. In relation to information contained in emails, the Code now notes that the disproportionate effort exemption cannot be justification for a blanket refusal to respond to a SAR and the question to be considered is “what is proportionate in the circumstances“.
When assessing what constitutes disproportionate effort, the Code now reflects recent case law and states that:
In terms of collateral purposes, the ICO advises that any collateral purposes for making a SAR are not relevant to the data controller. Data controllers are encouraged to have systems which facilitate locating, extracting and redacting personal data in response to SARs.
Don’t forget also that data protection is a ‘hot topic’ currently and that more change is on its way with the General Data Protection Regulations (GDPR) which are set to replace the Data Protection Act by May 2018. For our updates on this important subject see here.
Given the complexity of the changes to SARs and the ongoing complexity of data protection with the GDPR reforms please do not hesitate to contact Luke Menzies at firstname.lastname@example.org or 0117 325 0526 or any other member of the team for advice and practical guidance on how to prepare for these changes.