Avoiding Data Request Enforcement: U.K. Privacy Office

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Aug. 15 — A recent fine for mishandling a request for access to personal information demonstrates why companies must be careful in their handling of such requests, the U.K. national privacy office said in Aug. 15 guidance.

U.K. citizens have a fundamental right under the Data Protection Act (DPA) to request information, so companies and other organizations have to know how to comply with subject access requests (SARs), the Information Commissioner's Office said in a blog post.

The ICO encoraged companies to familiarize themselves with SARs, pointing out that 46 percent of all complaints made to the ICO in 2015 were related to the difficulties people faced when requesting personal information from organizations.

Medical Data Breach

Regal Chambers, a U.K. general practitioner, was fined 40,000 pounds by the ICO after it released personal information about a woman and her family when her ex-partner requested medical information for the former-couple's son.

The ICO's subsequent investigation found that Regal Chambers was in breach of the DPA because it had an insufficient system to prevent releases of personal data to persons who weren't authorized to receive it. It also found that staff had received inadequate training about what information could be disclosed and what information should be withheld.

The ICO also pointed organizations to its subject access code of practice.

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.