The ICO exists to empower you through information.

Summary

The text below provides a summary of the potential impacts we have considered up to and including the beta testing phase.

Problem definition and rationale

This section provides outlines of the problem the ICO is aiming to address and the rationale for intervening

Problem definition

The ICO receives a high volume of complaints from requesters about SARs, relative to other data protection issues. User research 1 suggests complaints are often driven by a lack of clarity in the initial request and a lack of understanding of the process amongst requesters. Responding to SARs incurs a time cost for organisations, which increases when requests are less clear and less specific.

Rationale for intervention

SARs mitigate against potential market failures resulting from the power imbalance between organisations and people. This can present as an asymmetric information failure related to the personal information that organisations hold. When SARs to organisations are not clear, this limits the ability to mitigate against market failures and negative externalities. More specifically, this can result in harms to people where they are unable to exercise their rights. This could include data protection rights such as right of access but also other rights. For example, a person could be prevented from gaining access to their information to use as evidence in a criminal trial or employment tribunal. Data protection harms resulting from an inability to access personal data could include an inability to manage risk or anxiety resulting from not knowing who has access to what type of personal data and whether it is at risk of a breach.

As part of ICO25 (the ICO’s strategic plan), the annual action plan outlined a commitment to “develop a subject access request (SAR) tool to help people make requests in ways which will help organisations to respond effectively. The tool will help people identify where to send their requests and explain what they should expect. The receiving organisation will receive information from the ICO to help them respond quickly and simply”.

The potential for market failure, harms and positive policy alignment, present a strong rationale for intervention.

The proposed intervention

Here we outline the options that were considered and the detail of the proposed intervention.

Options appraisal

In the interests of proportionality, the options considered have been condensed into four options that provide a good sense of the implications of alternative approaches and demonstrate why the ICO decided on the preferred option. This approach follows government guidance on policy development and appraisal. The options are as follows:

  1. Do nothing: keep the current template and guidance in place;
  2. Do less: provide additional guidance to organisations on SARs;
  3. Preferred: Develop a tool and other additional resources to aid people and organisations with SARs; and
  4. Do more: change the law on SARs.

These options were appraised against critical success factors such as achievability, cost and impact. Option 3 was identified as the preferred option for year one of the ICO25 plan (October 2022 to October 2023) but will be revisited as the project progresses.

Detail of proposed intervention

The intervention is focused on developing a tool to allow people to make SARs from the ICO’s website that are sent directly to the desired organisation. The tool is being scoped alongside development and testing as part of an agile project management approach. The tool’s aims to provide a user friendly and free service for organisations and requesters which will:

  • provide more specific requests to organisations;
  • help manage requesters expectations; and
  • provide guidance to organisations at the time they need it.

The intervention is currently in beta testing with the public on the external ICO website and will be revisited as the project progresses. Given the agile nature of the project, there are no specific deadline but we expect it to be delivered during the course of the ICO25 period (October 2022 to October 2025).

Cost-benefit analysis and review

This section outlines the costs and benefits we have identified and the review structure for the intervention.

Cost-benefit analysis

The costs and benefits of the intervention have been identified, as far as is possible and proportionate. Below is a summary of some of the costs and benefits we have considered. This should not be viewed as exhaustive or hierarchical.

Table 1: Summary of cost and benefits

Benefits Costs
Organisations
  • increased knowledge and confidence when responding to SARs
  • reduction in costs associated with SARs;
  • improved regulatory; certainty;
  • improved public confidence in organisations with increased data protection compliance.
  • initial familiarisation costs with the new tool
People
  • increased knowledge and confidence when making SARs;
  • ability to exercise their data protection rights such as right of access or right to erasure;
  • ability to exercise non data protection rights such as the use of personal data to support a legal process;
  • easier access to their personal data
  • reduction in data protection harms.
ICO
  • reduced number of complaints resulting from SARs;
  • ability to allocate more resources to focus on improving compliance.
  • upfront resource costs of production, awareness raising and delivery of the tool
Wider society
  • reduction in societal costs associated with data protection harms;
  • more efficient, effective and competitive organisations

Overall our assessment suggests that the benefits, in particular through improving organisations’ ability to efficiently deal with SARs, outweigh the costs identified.

Monitoring and review

In line with best practice and organisational standards, when the proposed resources are finalised, we will put in place an appropriate and proportionate review structure. This could include:

  • usage figures to monitor the number of times the solution produces a SAR;
  • feedback from requesters and organisations on the usefulness of the solution; and
  • engagement figures that monitor how many times the page and any associated materials are visited.

1 Unpublished ad hoc research carried out by the ICO’s delivery team. Includes a review of complaints data and interviews with organisations to improve the understanding of the problem.