The Information Commissioner’s Office (ICO) has launched a consultation on draft guidance for the handling of subject access requests (SARs) under the General Data Protection Regulation (GDPR).
It said the draft, which comes with a survey, builds on existing guidance on the legal obligations that organisations have to meet when people ask for copies of their information, and provides best practice advice.
The guidance takes in issues such as recognising an SAR, what to consider when responding to a request, when it is appropriate to refuse one, and what to do if a request involves information on other individuals. It also includes sections specifically on healthcare, education and social work data.
The ICO said it is running the consultation until 12 February 2020 and wants to hear from organisations about whether the guidance works for them and if they have any practical examples that reflect difficulties they are facing.
Chris Hogan, group manager for regulatory assurance (policy) at the ICO, said: “The right of access is one of the most fundamental elements of the GDPR and it is important that controllers get it right.
“We are keen to provide detailed and informative guidance that explains this right. Before we publish this guidance in full, we want to hear from controllers and individuals to find out whether it works for them, and in particular whether there are issues that we have not addressed.”
Earlier this year the ICO took the rare step of publicly criticising the Metropolitan Police for its handling of SARs, saying it had been far too slow in its responses.
