The ICO has updated its subject access request code of practice not because the GDPR is coming, but because of the outcomes of a couple of court cases (Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford [2017] EWCA Civ 121) that impact interpretation of the Data Protection Act.
Both cases dealt with issues around proportionality of subject access requests particularly when locating data requested under a subject access.
These cases have led to an update to a number of elements of the ICO guidance:
- Chapters 6 and 8 of the Subject Access Request Code of Practice has been updated to reflect on disproportionate aspects of access requests
- Chapters 5 and 6 have also been updated to ensure that subject access is considered when building CCTV systems
- Some changes around a Courts ability to order compliance of a subject access request
- And, some changes relating to disclosure relating to legal privelge
The outcomes of the court proceedings also led to updates to the CCTV code of practice and Data Protection guidance.
Full details of the ICOs approach since the court cases can be found on their blog.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR