Government reforms (2): Data protection – Subject access requests

What do we already know?

We updated you in our March 2017 Newsletter Case update (2): Data protection – easy access on the case of Dawson-Damer v Taylor Wessing LLP which was favourable to individuals (in this case litigants) in obtaining information using a subject access request (SAR).   

What’s new?

The Information Commissioner’s Office (ICO) has updated its:

  • subject access code of practice (available here);
  • guide to data protection (available here); and
  • CCTV code of practice (available here).

These updates are to ensure that the above reflect the developments in case law as highlighted in our above case update and also in the Court of Appeal decision of Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017] which confirmed that there is no need to take a “no stone unturned” approach to ensure a search is reasonable and proportionate as required under the Data Protection Act.

The most significant changes focus on the disproportionate effort exemption to compliance with SARs and on those SARs made for collateral purposes.

The section of the Code on ‘Finding and retrieving the relevant information’ now notes that the Data Protection Act places a “high expectation” on providing information in response to a SAR. In relation to information contained in emails, the Code now notes that the disproportionate effort exemption cannot be justification for a blanket refusal to respond to a SAR and the question to be considered is “what is proportionate in the circumstances”.

When assessing what constitutes disproportionate effort, the Code now reflects recent case law and states that:

  • data controllers may take into account difficulties which occur through the process of complying with a SAR including difficulties finding the information requested;
  • data controllers are expected to evaluate the circumstances of each request, balancing any difficulties in complying against the benefits to the data subject if they receive the requested information. This should be overlaid by a consideration of the fundamental nature of data subject rights;
  • the burden of proof is on the data controller to show that it has taken all reasonable steps to comply with the SAR and that further steps would have been disproportionate;
  • it is good practice to engage with the requester about the information they require as this may help avoid unnecessary costs and effort;
  • the ICO may take the data controller’s willingness to engage with the requester into account in the event that it receives a complaint about the data controller’s response to the SAR; and
  • even if the data controller can show compliance with a SAR would involve disproportionate effort, it must still comply with the SAR in another way if the data subject agrees.

In terms of collateral purposes, the ICO advises that any collateral purposes for making a SAR are not relevant to the data controller.  Data controllers are encouraged to have systems which facilitate locating, extracting and redacting personal data in response to SARs.

Don’t forget also that data protection is a ‘hot topic’ currently and that more change is on its way with the General Data Protection Regulations (GDPR) which are set to replace the Data Protection Act by May 2018.  For our updates on this important subject see here.

Given the complexity of the changes to SARs and the ongoing complexity of data protection with the GDPR reforms please do not hesitate to contact Luke Menzies at or 0117 325 0526 or any other member of the team for advice and practical guidance on how to prepare for these changes.