Summary
The text below provides a summary of the potential impacts we have considered up to and including the beta testing phase.
Problem definition and rationale
This section provides outlines of the problem the ICO is aiming to address and the rationale for intervening
Problem definition
The ICO receives a high volume of complaints from requesters about SARs, relative to other data protection issues. User research 1 suggests complaints are often driven by a lack of clarity in the initial request and a lack of understanding of the process amongst requesters. Responding to SARs incurs a time cost for organisations, which increases when requests are less clear and less specific.
Rationale for intervention
SARs mitigate against potential market failures resulting from the power imbalance between organisations and people. This can present as an asymmetric information failure related to the personal information that organisations hold. When SARs to organisations are not clear, this limits the ability to mitigate against market failures and negative externalities. More specifically, this can result in harms to people where they are unable to exercise their rights. This could include data protection rights such as right of access but also other rights. For example, a person could be prevented from gaining access to their information to use as evidence in a criminal trial or employment tribunal. Data protection harms resulting from an inability to access personal data could include an inability to manage risk or anxiety resulting from not knowing who has access to what type of personal data and whether it is at risk of a breach.
As part of ICO25 (the ICO’s strategic plan), the annual action plan outlined a commitment to “develop a subject access request (SAR) tool to help people make requests in ways which will help organisations to respond effectively. The tool will help people identify where to send their requests and explain what they should expect. The receiving organisation will receive information from the ICO to help them respond quickly and simply”.
The potential for market failure, harms and positive policy alignment, present a strong rationale for intervention.
The proposed intervention
Here we outline the options that were considered and the detail of the proposed intervention.
Options appraisal
In the interests of proportionality, the options considered have been condensed into four options that provide a good sense of the implications of alternative approaches and demonstrate why the ICO decided on the preferred option. This approach follows government guidance on policy development and appraisal. The options are as follows:
- Do nothing: keep the current template and guidance in place;
- Do less: provide additional guidance to organisations on SARs;
- Preferred: Develop a tool and other additional resources to aid people and organisations with SARs; and
- Do more: change the law on SARs.
These options were appraised against critical success factors such as achievability, cost and impact. Option 3 was identified as the preferred option for year one of the ICO25 plan (October 2022 to October 2023) but will be revisited as the project progresses.
Detail of proposed intervention
The intervention is focused on developing a tool to allow people to make SARs from the ICO’s website that are sent directly to the desired organisation. The tool is being scoped alongside development and testing as part of an agile project management approach. The tool’s aims to provide a user friendly and free service for organisations and requesters which will:
- provide more specific requests to organisations;
- help manage requesters expectations; and
- provide guidance to organisations at the time they need it.
The intervention is currently in beta testing with the public on the external ICO website and will be revisited as the project progresses. Given the agile nature of the project, there are no specific deadline but we expect it to be delivered during the course of the ICO25 period (October 2022 to October 2025).
Cost-benefit analysis and review
This section outlines the costs and benefits we have identified and the review structure for the intervention.
Cost-benefit analysis
The costs and benefits of the intervention have been identified, as far as is possible and proportionate. Below is a summary of some of the costs and benefits we have considered. This should not be viewed as exhaustive or hierarchical.
Table 1: Summary of cost and benefits
Benefits | Costs | |
Organisations |
|
|
People |
| |
ICO |
|
|
Wider society |
|
Overall our assessment suggests that the benefits, in particular through improving organisations’ ability to efficiently deal with SARs, outweigh the costs identified.
Monitoring and review
In line with best practice and organisational standards, when the proposed resources are finalised, we will put in place an appropriate and proportionate review structure. This could include:
- usage figures to monitor the number of times the solution produces a SAR;
- feedback from requesters and organisations on the usefulness of the solution; and
- engagement figures that monitor how many times the page and any associated materials are visited.
1 Unpublished ad hoc research carried out by the ICO’s delivery team. Includes a review of complaints data and interviews with organisations to improve the understanding of the problem.