The Information Commissioner’s Office (ICO) has today published its draft Code of Practice on Subject Access Requests (SAR) for consultation.
There is nothing in the draft code which will cause major surprise. It is largely a rehashing, and minor expansion of material which already exists in his general data protection guidance, and specialist guidance on matters such as accessing information in complaints files, or dealing with requests involving other people’s information.
On first consideration the following matters appear to stand out.
1. A lack of recognition that for public authorities any SAR falls within s1 Freedom of Information Act 2000 (FOIA) so that e.g. the duty to advise and assist applies.
This occasionally leads to a lapse in distinguishing good from mandatory practice. For example on page 10 the draft code suggests that you do not need to respond to a request which is not in writing. For a public authority ignoring the verbal request would be a failure to provide advice and assistance to a persons who propose to make a request for information. Similarly page 41 refers to good practice in providing explanations which should be mandatory for a local authority.
2. In dealing with exemptions the draft code really does not get to grips with the problem, which many find difficult, of dealing with an SAR on those occasions when you simply cannot tell the requester at all about some personal data’s existence or processing, e.g. if there is a note in your file of a police enquiry where, particularly if they have used the ACPO form, the police will have requested non-disclosure. The draft code (top of page 46) refers correctly to denying subject access, but gives no assistance on the right way to do this, and lacks the necessary warning about not giving a misleading answer such as “We enclose all the personal data which we hold…” . I would also have expected here a discussion (for public authorities at least) of when and why there may be a need to use s4o(5)(b)(ii) FOIA in such cases.
3. Finally, and again not surprisingly, the ICO continues his warning about misreading the decision in Ezsias v Welsh Commissioners  All ER (D) 65 (Dec) which appears in the existing Disproportionate Effort guidance.
In doing so he ignores subsequent cases which have strongly indicated that this guidance is wrong. See Elliot v Lloyds TSB Bank PLC & Anor  EW Misc 7 (CC) discussed on the excellent Panopticon blog . See also there Karim Abadir v Imperial College.
Whilst ICO is entitled to take his own view in these areas it is hardly satisfactory to have a situation where there are two routes to enforce an SAR: through the courts under s7(9) Data Protecton Act 1998 (DPA) or via the ICO using the s42 DPA assessment process.
In both the guidance and draft code (see page 24) ICO stresses that Ezsias is not authority for suggesting that a disproportionate effort test applies to finding the information required to respond to an SAR. However ICO wishes to parse it that is hard to reconcile with paragraph 93 of the judgement in Ezsias, which simply states “Under the 1998 Act, upon receipt of a request for data, a data controller must take reasonable and pro-portionate steps to identify and disclose the data he is bound to disclose.” Those reasonable and pro-portionate steps may well in many (or most) cases need to be extensive, but there should be no need to restrict the basic test laid down by the courts.
The ICO is also apparently on a collision course with the courts over the effect of the same authorities on the ability to refuse to deal with an SAR as constituting an abuse. See draft code page 49-50. This arises from the same line of cases mentioned above. The ICO seems to be saying that the courts may decline to exercise their discretion under s7(9) to enforce but in identical circumstances he would exercise his discretion to enforce under s42. The underlying problem appears to be the well known ICO dislike of the Durant decision and its clear statement that the purpose of an SAR is “… to check whether the data controller’s processing of the data unlawfully infringes his privacy … to take such steps as the Act provides … to protect it … [it is] not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved … not to obtain discovery of documents that may assist in litigation or complaints”.
So the courts are not so much exercising a discretion but taking the view that complaint is mis-founded as the purpose has nothing to do with privacy. I have little doubt however that ICO will continue this approach which is unlikely to be resolved, this side of the new directive, unless someone challenges an enforcement notice after taking the Durant / Ezsias approach.