Blog details

ICO launches consultation on draft right of access guidance

ICO launches consultation on draft right of access guidance

From now until February 12, 2020, the ICO will facilitate a public consultation on draft right of access guidance.

Over a year and a half ago, the GDPR was officially implemented within the EU and UK with an aim of giving greater control to individuals over their personal data. Article 15 of the GDPR specifically zones in on an individuals right of access to information collected about them from a data controller. Understanding the vital importance of this right towards the overall mandate of the GDPR and the UKs Data Protection Act 2018, the ICO has now drafted a more detailed guidance on the right of access and the obligations of controllers. Last week, the ICO officially launched a consultation on the draft guidance in order to gain feedback from stakeholders and the public. This consultation closes on February 12, 2020.

What is the Right of Access?

According to Article 15.1 of the GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:


the purposes of the processing;


the categories of personal data concerned;


the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;


where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;


the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;


the right to lodge a complaint with a supervisory authority;


where the personal data are not collected from the data subject, any available information as to their source;


the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences ofsuch processing for the data subject.

More simply put, the ICO explains that the right of access gives individuals the right to obtain a copy of their personal data from a data controller, as well as other supplementary information.

Overview of ICOs draft right of access guidance

The ICO draft right of access guidance provides data controllers with insight on how to prepare for the right of access as well we how recognize and respond to a subject access request (SAR). It offers strategies related to the retrieval of relevant information and how to subsequently supply this information to the requester.  Refusal of requests, exemptions, special cases, health data, education data and social work data are also expounded on in this thorough draft guidance from the ICO.

Does your company collect personal data during the course of your operations? If yes, has your firm taken active steps towards honouring an individuals right of access? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  

Prev post
ePrivacy Regulation Draft to be updated and presented at next EU Presidency
December 6, 2019
Next post
Profiling and the GDPR —here’s what you need to know
December 13, 2019

Leave a Comment