The ICO exists to empower you through information.

Below is a text version of the theory of change presented in the impact assessment summary for the subject access request (SAR) tool. A theory of change is a systematic approach used in intervention design and evaluation that provides a visual or narrative representation of how and why an intervention is expected to work. It outlines the route to impact from inputs, activities, outputs and outcomes, to impact and sets out the context in which this expected to occur.

Context

Policy:

  • The ICO's strategic plan (ICO25) sets out a specific objective to develop a solution related to SARS that helps people make requests in ways which will help organisations to respond effectively

Legal:

  • Article 15 of UK GDPR sets out data subjects' right to request access to their personal data.

Economic:

  • Organisations, particularly smaller ones, face a cost or burden in responding to SARs. This cost can be greater where SARs are not clear.

Social:

  • SARs help address information asymmetries between organisations and people. They can also help address power imbalances between organisations and people.

Affected groups

  • Organisations
  • People
  • ICO

Inputs

  • Finance
  • ICO systems
  • Staff time

Activities

  • ICO produces a tool.
  • ICO raises awareness of the tool.
  • Organisations engage with and promote resources.

Outputs

  • Organisations use the resources.
  • People engage with the tool and resources.
  • The ICO monitors use and enforces where necessary.

Outcomes

For organisations:

  • Organisations incur familiarisation costs.
  • Organisations find it easier to respond appropriately to SARs.
  • Reduced cost of compliance for organisations.
  • Better engagement between organisations and people.

For people:

  • People better understand their rights.
  • Requests are clearer, more specific and more effective.
  • People gain access to the relevant data they are entitled to.
  • Improved public confidence in organisations with increased compliance.
  • People are able to exercise their rights including non- data protection related.

The ICO

  • Reduced complaints to the ICO.
  • The ICO has more resources to focus on improving compliance.

Impacts

  • Positive impacts on UK economy and society:
  • More efficient, effective and competitive organisations.
  • Reduction in data protection harms.

Assumptions

  • SARs are currently not specific enough
  • Organisations currently find it difficult to resource SARs
  • Organisations generally understand the legislation on SARs well but are risk averse and need more certainty
  • People have varying degrees of understanding of the legislation around SARs
  • Awareness raising measures would reach the target audiences
  • Organisations and people would engage with the solution