The ICO’s Subject Access Code

Print publication


The Code, issued under section 51 of the Data Protection Act 1998 (the Act) as part of the Information Commissioner’s statutory duty to promote good practice, does not have the force of law and enforcement action will not be taken against organisations that do not apply the Code. However, compliance with the Code should ensure that organisations satisfy their obligation to deal with subject access requests – the mechanism under the Act by which individuals have the right to access any of their personal data held by third parties, upon payment of a fee.

There is much more to the Code than just the “ten steps” with plenty of examples and, in particular, a useful explanation of how the various exemptions may apply. The Code deals with issues such as children’s rights of access and subject access requests submitted via social media, and contains a reminder that the purpose behind the submission of the request is not a relevant consideration. However, the ten steps will probably be the first page data protection compliance officers will turn to. These are:

  • Is it a subject access request?
  • Do you have enough information to be sure of the requester’s identity?
  • Do you need information from the requester to find what they want?
  • Are you charging a fee?
  • Do you have the information the requester wants?
  • Will the information be changed between receiving the request and sending the response?
  • Does it include information about other people?
  • Are you obliged to supply the information?
  • Does the information include any complex terms or codes?
    Prepare the response.

The Code is an important document and should be required reading for those tasked with data protection compliance. The Code may be accessed here.