Any requests? Information commissioner issues code of practice on subject access

The Information Commissioner’s Office (ICO) has reissued a code of practice on subject access requests (SARs). The code was originally published last year but has been updated and re-issued. It explains the rights of individuals to access their personal data and sets out what data controllers (including employers) must do to comply with their duties under the Data Protection Act (DPA). Although there is no new law in the code, it is the ICO’s interpretation of what the DPA requires organisations to do to comply with SARs. Compliance is not mandatory where the code goes beyond the basic requirements of the DPA but inevitably it will be easier for organisations to show that they have not breached the DPA if they have complied with the code.

SARs are simple and cheap to make and (unlike the rules on disclosure of information in court cases and tribunals) there is no requirement for any justification for a request. Hence they are regarded as a very useful tool for employees in disputes. There has been a good deal of publicity about the new code and this, combined with the abolition of discrimination questionnaires from next month, may lead to heavier reliance on SARs…

Click on the link below to read the rest of the Hogan Lovells briefing.

Briefings from Hogan Lovells

View more briefings from Hogan Lovells

Analysis from The Lawyer

View more analysis from The Lawyer


Atlantic House
Holborn Viaduct

Turnover (£m): 1,030.00
No. of lawyers: 2,280
(UK 200)
Jurisdiction: UK
No. of offices: 9
No. of qualified lawyers: 206 (International 50)