This snapshot taken on 09/07/2011, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
April 2009
Part 5 Limits and restrictions
81A.51 Time limits for dealing with requests
The DPA states that once a data controller has received a written request and sufficient information to identify the person he has 40 calendar days in which to comply with it. However, the internal target is for The Service to comply with subject access requests within 20 working days and this is the time frame that should be adhered to.
Upon receipt of the completed request form and suitable identification, the time within which the data controller has to comply with the request will start to run. An assessment should be made as to whether the request can be complied with, e.g. would disclosing the information reveal details of a third party. If supplying copies of the information containing personal data of the applicant will involve disproportionate effort the data controller may be excused from supplying such copies but it will still be necessary to comply with all the other subject access obligations (see paragraph 81A.31 above). If it is felt that disproportionate effort might be involved in supplying copies of the data, the official receiver should seek guidance from Technical Section. [note 1]
81A.52 Failure to comply with request
If a data controller fails to comply with the subject access provisions within the 40-day period, the individual may apply to a court for an order for the data controller to comply with the request. The court will make such an order if it is satisfied that the data controller has failed to comply with the request in contravention of the Act. [note 2]
81A.53 Tampering with information
The information given in response to a subject access request comprises all the personal data held by the data controller at the time that the request is received. However, routine amendments and deletions of the data may continue between the date of request and date of reply. But, having received a request, the data controller must not make any special amendment or deletion which otherwise would not have been made. The information must not be tampered with in order to make it acceptable to the individual; to do so is a criminal offence. Section 77 FOI applies to DPA (see Chapter 81, paragraph 81.37 on maintenance of records). [note 3]
81A.54 Unlawful obtaining and selling of personal data
This section does not apply to unstructured personal data.
It is an offence under section 55 of the DPA for a person, without the consent of the data controller, knowingly or recklessly to obtain or disclose personal data; to procure the disclosure to another person of the information contained in personal data; or, having done so, to sell or offer to sell such data. It is also an offence for a person to sell or offer to sell personal data knowingly or recklessly obtained without the consent of the data controller.
There are exceptions to the liability for this offence if it can be shown that it was necessary to prevent or detect crime; was required or authorised by law; that the person making the disclosure acted in the reasonable belief that they had the legal right to do so or that the data controller would have consented; or that their actions were justified as being in the public interest. [note 4]
81A.55 Rectification, blocking, erasure and destruction
A data subject can apply to the court for an order that the data controller rectify, block, erase or destroy any data that are inaccurate, including any opinion, which the court finds, is based on inaccurate data. Data are inaccurate if incorrect or misleading as to any matter of fact. The court may (where it considers it reasonably practicable) order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction. In deciding whether it is reasonably practicable to require such notification, the court shall have regard to the number of persons who would have to be notified. [note 5]
If the IC receives a request by any person who believes themselves to be directly affected by any processing of personal data by the data controller, the IC will make an assessment as to whether it is likely or unlikely that the processing has been carried out in compliance of the provisions of the DPA. [note 6]
In determining such compliance the IC may issue an information notice to the data controller, requiring him/her to provide such information relating to the request, in such form as may be specified, or to compliance with the principles, as specified and within such time as is specified in the notice. [note 7]
The IC has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles. The notice must set out the steps that the data controller must take to comply with the relevant requirements of the Act. The notice may be appealed to the Information Tribunal which may confirm, amend or overturn it. However, in the absence of an appeal, if the data controller fails to comply with a notice, a criminal offence is committed. [note 8]
It is an offence to fail to comply with an information notice, a special information notice or an enforcement notice issued by the IC, or to knowingly or recklessly make a statement in compliance with such a notice which is false in a material respect. [note 9]
In general terms any correspondence received by an official receiver from the ICO should be passed to Technical Section for advice and, as appropriate, reply.
81A.58 Cancellation of Enforcement Notice
If the IC considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served. [note 10]
Under DPA, a data controller can charge a fee of up to £10 for responding to a subject access request and supplying any personal data. As the fee does not accurately reflect the actual cost of complying with such requests and, in order to ensure policy consistency with BIS, The Service has decided that no fee should be charged when dealing with a subject access request.
However, charges for unstructured personal information under DPA can be made in accordance with the Fees Regs – see Chapter 81, Part 4.
[Back to Part 4 – Handling personal data] [On to Part 6 – Exemptions to disclosure]