In light of two recent Court of Appeal judgements, Dawson-Damer & Ors v Taylor Wessing LLP and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford, dealing with disproportionate effort when responding to subject access requests, the Information Commissioners Office (ICO) has updated both their DPA guidance and CCTV and SAR codes of practice.
ICO have made it clear that it is still up to data controllers to prove that they have taken reasonable steps to comply with a SAR and that it would be disproportionate to take any further steps, and that if compliance with the request would involve disproportionate effort then an attempt should be made to comply in some other way. However, the Court of Appeal judgements confirm that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.
To reflect this, a number of chapters which deal with the disproportionate effort exception in the Subject Access Code of Practice have been amended. Specifically, this includes highlighting to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs, clarifying that personal data is exempt from subject access if it consists of information for which legal professional privilege could be claimed and recording the Court of Appeal's view that the court has a wide discretion to order compliance with a SAR. It has also been made clear that the existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.
The CCTV Code of Practice has also been amended to reflect the Court's judgements on the application of the disproportionate effort exception and to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.
The section on “What if sending out copies of information will be expensive or time consuming?” and "Legal advice and proceedings" in the Guide to Data Protection have also had amendments made to address the same points.