Guidance from the Information Commissioner’s Office about responding to an individual’s asking to see what personal data an organisation holds about them
The ICO in October 2020 issued guidance about how organisation should respond to a Subject Access Request. The link is here:
ACRCG responded to the consultation in detail (see our previous post with a link to our response to the consultation), and we are pleased that points we made have been taken up. Although the guidance is not specifically designed to meet the rights of adult care leavers, it has some useful messages for organisations to take on board.
Key messages in the guidance:
- it is a fundamental right of all individuals to know what personal information [data] the organisation holds about them
- a request for this information does not have to be in writing: organisations cannot insist on this but it may be useful to record that a request has been made
- the organisation cannot charge a fee and must provide the personal data within 20 working days
- names of person recording personal data about an individual in a professional capacity should be shared with the individual making the request.
We had made this point very strongly because it is most important and here’s the example given in the guidance:
“….it is reasonable for the council to provide the social worker’s personal data to the requester in response to the subject access request. However, the council must either have the consent of the family member, or consider whether it is reasonable to disclose their personal data without consent. If the council does not have consent, it is likely that it needs to reconcile the individual’s right of access in respect of any duty of confidence owed to the family member.”
It remains to be seen, of course, how the guidance will be interpreted by individual local authority departments and will, no doubt dictate further attention by our Association.