ICO updates subject access request code of practice

June 26 12:47 2017 Print This Article

The Information Commissioner’s Office has tightened up the code of practice on subject access requests (SAR), meaning that staff who use their own devices for work purposes might have to let their bosses search those devices to comply with the law.

Under the Data Protection Act people have a right to obtain a copy of the personal data organisations hold on them by filing a SAR, which must be compiled with within 40 days.

Details include information about the type of personal data they hold, what it is used for and details of the third parties which have access.

The ICO’s new code is especially relevant to organisations that embrace a so-called “bring your own device” (BYOD) strategy.

“If you permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it would be within the scope of a SAR you receive,” the ICO said. “The purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.”

Under GDPR organisations will have to respond to SARs “without undue delay and at the latest within one month”.

This article and any associated images were originally published here: http://www.dataiq.co.uk/news/ico-updates-subject-access-request-code-practice

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment