UK Information Commissioner’s Office Publishes Revised Subject Access Code of Practice

The UK Information Commissioner’s Office (ICO) has published a revised version of its Subject Access Code of Practice. The code explains the rights of individuals to access their personal data under the UK Data Protection Act 1998 (the Act), clarifies the obligations of data controllers under the Act, and provides practical advice on how to handle such access requests. More specifically, the code helps to provide measures that could be taken to achieve compliance with the Act’s legal requirements.

The code itself does not have the force of law, but rather is designed to promote good practice for organisations of all types, sectors and sizes, stating that the underlying principles concerning subject access are the same in every case.


In the UK, subject access rights are currently found in Section 7 of the Act, and includes the right to view a copy of the information an organisation holds about them, to be told whether any personal data about them is being processed, to have that personal data and the reasons for its processing described to them, to be told whether the personal data will be shared with any other entities, and to be given a copy of this information, including the details of the source of the personal data (if available). Individuals may also request information about the logic (or reasoning) used behind any automated decisions.

Under the Act, organisations typically must respond to such requests no later than 40 days after receiving them; however, there are some exemptions to this rule.

More Than Compliance

The code recommends that organisations view responding to subject access requests as not only a compliance obligation, but as an opportunity for improving customer service and service delivery. Promptly and fully responding to subject access requests can improve the relationship between organisations and their customers, which can help in avoiding costly disputes and harm to reputation.

Indicators of Good Practice

The code lists the following as indicators of good practice around subject access in an organisation:

  • Training staff on how to recognise and respond to requests;
  • Setting up a dedicated data protection page on the organisation’s intranet with links to subject access request policies and procedures;
  • Appointing a specific person or team as responsible for handling requests;
  • Appointing data protection experts or “champions” who can provide expertise and advice in regard to the processing of personal data and handling requests;
  • Monitoring compliance with legal obligations in regard to requests, and tracking metrics on the details of those requests and how efficiently they are responded to.

Beyond the UK Data Protection Act 1998

In addition to the Act, subject access rights are also found in Article 15 the upcoming EU General Data Protection Regulation (GDPR). Similar to the Act, under Article 15 of the GDPR, an individual has the right to obtain confirmation about whether their personal data are being processed, to obtain or view a copy of that data, and to be provided with supplemental information about the particular processing taking place.

As a regulation, the GDPR will have immediate applicability in all member states, and with the recent announcement that the UK will align itself with the GDPR despite Brexit, the ICO’s Subject Access Code of Practice will likely be useful even beyond the borders of the UK. Guidance like this will be increasingly important as we approach 25 May 2018 when the GDPR comes into effect.

How OneTrust Helps

OneTrust’s Data Subject Access Request Portal is easy to embed within a privacy policy. Data Subjects simply click to a portal where they can input their basic information to request their data from an organisation. OneTrust’s module also makes it easy for companies to stay organised with processing and responding to requests within the 30-day time limit.