The ICO has published a revised Subject Access Code
of Practice. The ICO states that organisations should adopt a positive outlook on Subject Access Requests (SARs) - apart from fulfilling a legal right this is an 'opportunity for you to improve your customer service and service delivery'. The ICO encourages organisations to start a dialogue with the requester: "We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information." The Code was in need of updating due to the recent court cases on SARs, and the section on disproportionate effort indeed refers to the Court of Appeal cases of Dawson-Damer and Ittihadieh/Deer and Oxford University. The comprehensive 65-page code suggests indicators of good practice, but does not make reference to the changes that will be made to SARs under the GDPR. Helpfully, the ICO says that it does not expect organisations to instruct staff to search their private emails or personal devices in response to a SAR unless they have a good reason to believe that they are holding relevant personal data. The ICO makes the point that individuals may make an SAR using any Facebook page or Twitter account the organisation in question has, other social-media sites to which it subscribes, or possibly via third-party websites. On the question of deleted data, the ICO says that it 'would not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously deleted personal data held in electronic form. The Commissioner does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management.'
The revised code, issued on 9 June, is at https://ico.org.uk/media/for-organisations/documents/2014223/subject-access-code-of-practice.pdf