Part 5 Limits and restrictions
The DPA states that once a data controller has received a written request and sufficient information to identify the person they must respond ‘promptly’ and in any event within 40 calendar days. The internal target is for The Service to comply with subject access requests within the DPA time limit.
Once the FOI/DPA Team has been notified of the request and suitable ID has been obtained by the Team, the time within which the data controller has to comply with the request will start to run. An assessment should be made as to whether the request can be complied with, e.g. would disclosing the information reveal details of a third party. If supplying copies of the information containing personal data of the applicant will involve disproportionate effort the data controller may be excused from supplying such copies but it will still be necessary to comply with all the other subject access obligations (see paragraph 81A.31). If it is felt that disproportionate effort might be involved in supplying copies of the data, the official receiver should seek guidance from the FOI/DPA Team [note 1]
If a data controller fails to comply with the subject access provisions within the 40-day period, the individual may apply to a court for an order for the data controller to comply with the request. The court will make such an order if it is satisfied that the data controller has failed to comply with the request in contravention of the Act. [note 2]
The personal data forming a subject access request comprises all the personal data held by the data controller at the time that the request is received (unless the request is prescribed as detailed in paragraph 81A.31a, Part 2). However, routine amendments and deletions of the data may continue between the date of request and date of reply. But, having received a request, the data controller must not make any special amendment or deletion which otherwise would not have been made. The information must not be tampered with in order to make it acceptable to the individual; to do so is a criminal offence. Section 77 FOI applies to DPA (see Chapter 81, paragraph 81.37 on maintenance of records). [note 3]
This section does not apply to unstructured personal data.
It is an offence under section 55 of the DPA for a person, without the consent of the data controller, knowingly or recklessly to obtain or disclose personal data; to procure the disclosure to another person of the information contained in personal data; or, having done so, to sell or offer to sell such data. It is also an offence for a person to sell or offer to sell personal data knowingly or recklessly obtained without the consent of the data controller.
There are exceptions to the liability for this offence if it can be shown that it was necessary to prevent or detect crime; was required or authorised by law; that the person making the disclosure acted in the reasonable belief that they had the legal right to do so or that the data controller would have consented; or that their actions were justified as being in the public interest. [note 4]
A data subject can apply to the court for an order that the data controller rectify, block, erase or destroy any data that are inaccurate, including any opinion, which the court finds, is based on inaccurate data. Data are inaccurate if incorrect or misleading as to any matter of fact. The court may (where it considers it reasonably practicable) order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction. In deciding whether it is reasonably practicable to require such notification, the court shall have regard to the number of persons who would have to be notified. [note 5]
If the IC receives a request by any person who believes themselves to be directly affected by any processing of personal data by the data controller, the IC will make an assessment as to whether it is likely or unlikely that the processing has been carried out in compliance of the provisions of the DPA. [note 6]
In determining such compliance the IC may issue an information notice to the data controller, requiring him/her to provide such information relating to the request, in such form as may be specified, or to compliance with the principles, as specified and within such time as is specified in the notice. [note 7]
The IC has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles. The notice must set out the steps that the data controller must take to comply with the relevant requirements of the Act. The notice may be appealed to the Information Tribunal which may confirm, amend or overturn it. However, in the absence of an appeal, if the data controller fails to comply with a notice, a criminal offence is committed. [note 8]
It is an offence to fail to comply with an information notice, a special information notice or an enforcement notice issued by the IC, or to knowingly or recklessly make a statement in compliance with such a notice which is false in a material respect. [note 9]
All correspondence received by an official receiver (or other part of The Service) from the ICO should be passed to the FOI/DPA Team for advice and, as appropriate, reply.
If the IC considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served. [note 10]
Under DPA, a data controller can charge a fee of up to £10 for responding to a subject access request and supplying any personal data. As the fee does not accurately reflect the actual cost of complying with such requests and, in order to ensure policy consistency with BIS, The Service has decided that no fee should be charged when dealing with a subject access request. Any remittance received from an applicant should be returned or refunded.
However, charges for unstructured personal information under DPA can be made in accordance with the Fees Regs – see Chapter 81, Part 4. The advice of the FOI/DPA Team should be obtained if dealing with a request for unstructured personal information.