ICO publishes guidance on subject access requests
The Information Commissioner's Office ("the ICO") has published guidance to assist organisations in dealing with requests from individuals for their data.
Subject access requests allow individuals to ask organisations about what information they hold about them. If any information is held, the organisation will usually be required to supply copies to the individual making the request. Generally, organisations are obliged to respond to any requests within 40 days.
The ICO receives a substantial number of complaints by individuals who believe that their subject access requests have not been dealt with correctly. Over the last financial year, 6,000 such complaints were made.
In order to assist organisations in responding to subject access requests, the ICO has outlined ten steps for organisations to consider:
- Identify whether a request needs to be considered as a subject access request;
- Obtain enough information to be sure of the requester's identity;
- Ask the requester at an early stage if more information is required to assess their request;
- If the organisation is charging a fee to deal with the request, this should be asked for promptly. Organisations are permitted to charge a fee of up to £10, unless the request relates to medical or educational records;
- Check that the information the requester wants is available;
- Do not make any changes to the records, even if they are inaccurate;
- Consider whether the records contain information about other people;
- Consider whether any exemptions apply. The exemptions include information held for the purposes of crime and taxation, certain types of management planning information and information that may prejudice negotiations with the requester;
- Explain any complex terms or codes that are included in the information. Organisations should ensure that the information can be understood by the requester; and
- Where appropriate, provide the response in a permanent form.
The ICO will be carrying a survey of websites later this year, with the aim of identifying what information organisations provide to users who may want to make subject access requests. A report on the findings is expected in early 2014.
ICO fines Aberdeen City Council for 'serious data breach'
Aberdeen City Council ("the Council") has received a financial penalty of £100,000 following a 'serious data breach'.
The breach occurred after a Council employee accessed various reports and meeting minutes relating to the involvement of social services with a number of individuals from her home computer. A file transfer programme automatically uploaded these documents to the internet. This resulted in sensitive information about vulnerable children and their families becoming publicly-available online.
The documents were available online for more than 3 months, before being discovered by another Council employee.
This case reveals the importance of organisations having in place an effective home working policy and appropriate security measures to ensure sensitive information is kept confidential.
The Council was found by the ICO to have no such policy and measures. The Council will be required to enter into an undertaking with the ICO, committing it to improve its compliance with data protection legislation.
Case Ref: FER0480190
Public Authority: Sheffield City Council ("the Council")
This case related to a request made for information about what had been done with a sum of money that the complainant’s employers were required to pay to the Council in connection with a planning matter.
The Council initially stated that it held no further information, but later located additional information falling within the scope of the request, which it disclosed to the complainant.
The complainant referred the matter to the Commissioner to determine whether the Council had disclosed all of the relevant information.
The Commissioner confirmed that the Council had provided all the information falling within the scope of the request. It is therefore not required to take any further steps in relation to this request.
However, the Commissioner also found that the Council breached regulation 5(2) of the Environment Information Regulations 2004 ("EIR") by failing to supply the information within 20 working days of receipt of the request. The Commissioner has recommended that the Council take steps to improve the way in which it processes information requests in future.
Case Ref: FER0483676
Public Authority: Department for Environment Food and Rural Affairs ("Defra")
A request was made for details of a planned badger cull.
Defra provided the complainant with some of the requested documents but released parts of the information in redacted form, relying on the exemptions under regulations 12(5)(a) (adverse effect on public safety) and 12(5)(g) (adverse effect on the protection of the environment) of the EIR.
The Commissioner concluded that Defra had applied the exemptions incorrectly. It was therefore not entitled to redact the information, and is obliged to disclose the information in full.
Case Ref: FS50486137
Public Authority: BBC
The complainant made a request to be supplied with a copy of the Balen Report "Reporting the Middle East" paper JB(04)40 ("the Balen Report").
The BBC argued that the information was covered by a derogation, meaning the obligations of the Freedom of Information Act 2000 ("FOIA") do not apply to it.
The Commissioner agreed that as the Balen Report is held by the BBC for the purposes of "journalism, art or literature" it does not within the scope of the FOIA.
Ashfords LLP is Authorised and Regulated by the Solicitors Regulation Authority. The information in this note is intended to be general information about English law only and not comprehensive. It is not to be relied on as legal advice nor as an alternative to taking professional advice relating to specific circumstances. Links to other sites and resources provided by third parties are included for your information only. We have no control over the content and accept no responsibility for them.