Too many consumers are being denied the right to access the information that companies or public bodies hold about them, Information Commissioner, Christopher Graham, said in a speech on 27 January. Mr Graham said that complaints about mishandled subject access requests in the last financial year accounted for over a third (38%) of the ICO’s total data protection specific casework. In order to resolve this issue, the ICO has launched an awareness-raising campaign called Access Aware.
Christopher Graham said:
‘Organisations that handle personal information need to remember that customer records are not simply their property – the individuals who do business with them also have rights. We are seeing far too many complaints that could easily have been avoided if they’d been given serious and timely consideration.
The result of mishandling requests is not simply a blip on customer service satisfaction levels, it can cause individuals a great deal of upset. The people who are making these requests are not doing it for fun; the vast majority are seeking resolutions to real problems – such as being refused credit or making important decisions about their health. I hope businesses and bodies that handle personal data use European Data Protection Day as a prompt to think about ways to improve their subject access request handling. Our Access Aware materials have been designed to help them do just that.’
Access Aware is one of the first outcomes of the ICO’s information rights priority work. Banking and finance companies as well as health bodies have been identified as the worst performing sectors in relation to handling subject access requests. A more general problem around access to employee records has also been noted across all sectors.
The sector that continues to generate the most complaints about subject access requests is lenders. In 2010/11, over a third (34%) of completed data protection specific complaints concerning financial institutions were about mishandled subject access requests.
Health bodies and policing and crime organisations have also continued to generate a high level of subject access related complaints. In 2010/11, almost half (45%) of data protection specific complaints about health bodies concerned mishandled requests. In the same year, 34% of data protection specific complaints in the policing and criminal justice sector were about subject access.
The Access Aware campaign aims to promote awareness of what a subject access request looks like and what to do if one is received. Requests can be received by anyone working in an organisation and can take many forms – from a detailed email asking for specific information to a single sentence within a more general complaint letter. Requests must be answered within 40 calendar days.
Some organisations may choose to charge a fee for handling a subject access request. The maximum fee that most organisations can charge is £10.