Main navigation

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

14. Handling of Subject Access Requests Received by More Than One Department

Issue

Where a data subject makes the same or similar access request to more than one department a consistent approach should be adopted as far as possible to avoid one or more of the departments involved being open to criticism for disclosing a different amount of data to the others. This is not intended as a method of withholding data that should rightly be disclosed under the DPA. Rather it is a means of handling the situation where one department risks disclosing data that is not released by another department.

Standards

2. Departments should not reply to subject access requests which they suspect of being “round robins” without notifying the Openness Unit in the Cabinet Office first.

3. When notified of a suspected round robin, the Cabinet Office will arrange for other departments which may have received a request to be contacted. The Cabinet Office will aim to ensure that any necessary guidance is made available in time for departments to respond within the timescale laid down by the Act.

Recommended best practice

4. If a department receives a data subject access request that they suspect is a round-robin or has gone to more than one department:

• they should inform the Cabinet Office Historical and Records Division, Openness Unit;
• the Cabinet Office will then use the Data Protection Practitioners’ Group (DPPG) network to establish whether other departments have received identical or similar subject access requests;
• where the Cabinet Office is among the departments that have received a subject access request the Cabinet Office will take the lead in setting up the handling process. This is likely to result in convening a meeting involving all the departments who have received an identical or similar access request; and
• where the Cabinet Office is not among the departments that have received the subject access request, consideration will be given as to whether there is a suitable candidate other than the Cabinet Office to take the lead in setting up the handling process. In the absence of such a candidate it will fall to the Cabinet Office to take the lead as if they had been among the departments that had received a subject access request.

5. Factors that will need to be considered in adopting a consistent approach to the handling of subject access requests that have been received by more than one department include:

• whether sufficient proof has been provided to confirm the identity of the person submitting the data subject access request or whether further evidence is required (section 7(3) of the DPA);
• whether it is necessary to seek clarification from the data subject of the material being sought or the period covered by the request, to narrow down the search (section 7(3) of the DPA);
• period to be covered by departmental searches;
• any use it is proposed to make of exemptions (sections 28-36 and Schedule 7 of the DPA);
• line to be taken where another individual can be identified from the data that is potentially disclosable (sections 7(4)-7(6) of the DPA);
• preferred method of providing the data, eg a digest of extracts or a mixture of extracts and redacted material (section 7(1)(c)(i) of the DPA);
• where press summaries or Parliamentary Questions are involved whether there is a need to supply extracts or simply refer to their existence; and
• determination of any clearance process that may be necessary.

6. Departments should continue to apply their normal charging policy. Since the Act permits data controllers to charge at their discretion, there is no necessity for consistency across government.

7. Depending on the nature and complexity of the subject access request there may be a need for additional handling meetings as the case progresses.

8. The process will also include monitoring progress in achieving the 40-day timescale for responding to the subject access request (section 7(10) of the DPA). Where a department finds that it cannot meet the statutory timescale the aim should be to disclose as much data as can be released within the 40-day period.

9. A diagram depicting the handling process is attached at 14A.

Section 14A. Handling Process in Diagrammatic Form

Data Protection Handbook [PDF, 710KB]

[Top]