ICO seeks views on its draft Subject Access Code

The Information Commissioner’s Office (ICO) plans to publish a code of practice on Subject Access next April in order to clarify how data controllers can best comply. The code will promote good practice and show how to meet the DP Act’s requirements in practical terms.

While a Subject Access Request (SAR) must be made in writing, it can be sent by email or fax, via an organisation’s Facebook page or Twitter account, or other social media sites to which the organisation subscribes.

If a request does not mention the DP Act specifically or even say that it is a SAR, it is nevertheless valid. Before responding to a SAR for information held about a child, organisations must make sure that the child is mature enough to understand their rights.

Organisations should have efficient information management and records management systems to deal with SARs. If an organisation cannot reply to a SAP within the 40 day time limit, it should contact the requester to explain the reason and when they might expect a response.

The ICO’s consultation on its Subject Access Code closes 21 February 2013.

Read more about this topic in the January 2013 issue of Privacy Laws & Business UK Report.