ICO issues new guidelines on complying with subject access requests under Data Protection Act

New guidelines follow 6,000 complaints made to the ICO about about subject access requests

The Information Commissioner's Office (ICO) has published new guidelines for organisations on how to properly respond to requests from individuals who want to know how their information is used.

Under the Data Protection Act (DPA), anyone can find out what information an organisation holds about them by making a subject access request. One received, an organisation has 40 days to respond to the request.

The new guidelines follow 6,000 complaints made to the ICO about about subject access requests, with one in six relating to organisations in the finance sector, including banks and credit card providers. The guidance from the ICO aims to help organisations manage requests made under the DPA more efficiently, while allowing members of the public to have more control about the data held about them.

"We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data," said information commissioner, Christopher Graham.

"They can be particularly important when checking your credit rating or applying for a loan, but the ICO's complaints figures show that many organisations still need to improve their processes for dealing with these requests.

"Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date," he continued.

"Our new subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers' data and being open and transparent about the information they collect.

"This can only be a good thing for organisations and consumers," Graham concluded.

The ICO has announced it will carry out a "subject access request sweep" of websites later in the year. It will look at the information organisations in the public and private sectors are providing to anyone who may want to make a subject access request and report back at the beginning of next year.