13 June 2018
Subject Access Requests, by which an individual data subject has a legal right under the DPA to apply to an organisation and find out what personal data it holds on them, were the subject of 6,000 complaints to the ICO last year. Perhaps as a consequence, the ICO has produced a draft subject access code of practice aimed at organisations in order to prevent misunderstandings and to outline clearly the scope of individuals’ rights and organisations’ responsibilities to provide information relating to an applicant’s personal data.
The ICO is looking to achieve a balance between the protection of privacy for individuals which is provided by the subject access right, and the proportionality of the obligations placed on organisations which process personal data and who usually need to provide a substantive response to a request within 40 days.
Charities who process personal data, as well as individuals and other stakeholders, are invited to respond by 21 February 2013. The ICO hopes to publish the final code of practice by April 2013.