New guidance: Updated ICO guidance to help organisations handle requests for information under data protection law

Organisations will welcome an updated guide published by the Information Commissioner's Office (ICO) on how to handle 'subject access requests' (SARs) under data protection law, and should review their policies and procedures for responding to SARs accordingly.

The ICO is the independent body whose responsibilities include promoting data privacy for individuals in the UK. A SAR is the document or other form of request an individual must submit to an organisation to see any personal data the organisation holds on them. 'Personal data' is information that can be used to identify them, either on its own or with other information held. It is 'data' whether it is held electronically, in paper form, or in any other form. The organisation must usually provide the personal data it holds within 40 days of the request.

The updated guide, Subject Access Code of Practice: Dealing with requests from individuals for personal information, takes into account the latest legal rulings, including how to handle SARs made for collateral purposes - such as to gather information to help in litigation against the organisation holding the data - and when an organisation can resist complying with a SAR because it would involve 'disproportionate effort'.

Operative date

  • Now


  • Organisations should download the ICO guide from the ICO website, and review their policies and procedures for responding to subject access requests accordingly

© Atom Content Marketing 2017

  • Miss Alexander was extremely professional; courteous and friendly making the preparation of wills a smooth process.