Font Size

New ICO Subject Access Code of Practice helps organisations give people control over their data


The Information Commissioner’s Office

Business Articles
Submit Articles   Back to Articles

8 August 2013

Most common reason for complaining to the ICO with over 6,000 complaints last year

The Information Commissioner’s Office (ICO) has today published new guidance for organisations to help them deal with requests from individuals for their data.

Under the Data Protection Act, anyone has the right to find out what information an organisation holds about them by making a subject access request. This right allows individuals to find out important information ranging from details recorded on their credit history to data included in their health record. Once received, an organisation normally has forty days to reply to the request.

During the last financial year the ICO handled over 6,000 complaints related to subject access requests, with over one in six of these complaints relating to money lenders, including credit reference agencies and banks.

The new guidance – which has been accredited by the Plain Language Commission - will help organisations handle subject access requests more efficiently, while supporting the public in taking control of their personal information.

Announcing the publication of the ICO’s new Subject Access Code of Practice the Information Commissioner, Christopher Graham, said:

“We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data. They can be particularly important when checking your credit rating or applying for a loan, but the ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.

“Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date.

“Our new Subject Access Code of Practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.”

As part of the launch the ICO has published ten simple steps which organisations should consider when responding to subject access requests.

1. Identify whether a request should be considered as a subject access request

2. Make sure you have enough information to be sure of the requester’s identity

3. If you need more information from the requester to find out what they want, then ask at an early stage

4. If you’re charging a fee, ask for it promptly

5. Check whether you have the information the requester wants

6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…

7. …But do consider whether the records contain information about other people

8. Consider whether any of the exemptions apply

9. If the information includes complex terms or codes, then make sure you explain them

10. Provide the response in a permanent form, where appropriate

The ICO will also be carrying out a ‘subject access request sweep’ of websites later in the year. The project will look at the information organisations in the public, private and third sector are providing to anyone who may want to make a subject access request, and will prompt a report that will be published in the new year.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:


  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

About the Author

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004

Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2013-08-08 11:15:53 in Business Articles

All Articles

Copyright © 2004-2021 Scopulus Limited. All rights reserved.