Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Information Commissioner issues Code of Practice on dealing with subject access requests

12 Aug 2013 United Kingdom 3 min read

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

The Information Commissioner's Office ("ICO"), which regulates compliance with the Data Protection Act 1998 ("Data Protection Act"), has published a Code of Practice for organisations when dealing with requests from individuals for personal information, known as data subject access requests (which can be viewed here).

Under the Data Protection Act, individuals have a right to find out what personal information an organisation holds about them by making a subject access request. Employers are increasingly receiving such requests from employees, often where an employment related dispute has arisen. The new Code of Practice is intended to provide useful guidance to organisations to help them deal with such requests.

The Code of Practice covers each aspect of receiving and responding to a request and the online version contains useful hyperlinks to other ICO guidance, such as its Guide to Data Protection (here) and its Guide to Determining what is Personal Data (here).

As part of its launch of the new Code of Practice, the ICO has also published 10 simple steps which organisations should consider when responding to subject access requests, which include:

  • If you need more information from the requester to find out what they want, then ask at an early stage
  • If you are charging a fee, ask for it promptly
  • Consider whether the records contain information about other people
  • Consider whether any of the exemptions apply

An interactive version of the checklist is available here.

Practical considerations

  • ICO statistics state that during the last financial year, they handled over 6000 complaints related to subject access requests.
  • Replying to subject access requests can be a complex process and therefore the new Code of Practice will provide useful guidance on the most common problems faced by employers when responding to such requests.
  • However, employees or ex-employees may point to an employer's failure to comply with the Code of Practice in order to allege a breach of that employer's obligations under the Data Protection Act. In these cases, it should be noted that the Code of Practice is only guidance and, whilst likely to be considered by any relevant court and, crucially, by the ICO when handling any complaints or proceedings, failure to follow the Code will not in itself be a breach of the Data Protection Act.
More insights
Public Procurement Employment, Labour & Pensions Data Protection & Freedom of Information Scotland

Explore more

Event United Kingdom

IP Insights webinar series 2026

03 Jun 2026
Podcast United Kingdom

CMS Unscripted

26 Feb 2026 3 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.