New ICO guidance for employers on dealing with subject access requests
07/07/23The Information Commissioner's Office (ICO) has recently published guidance on subject access requests (SARs) for businesses and employers, "SARs Q&A for employers" alongside a blog. In this insight, we summarise the key points and what, if anything, has changed.
Background
The UK General Data Protection Regulation (GDPR) gives individuals (“data subjects”), amongst other things, the right of access to personal data that organisations hold about them. The personal information held by a current or former employer can include details of the data subject’s attendance and sickness records, and personal development or HR records, as well as email communications about the data subject. If organisations fail to respond to SARs promptly they can be subject to fines or a reprimand from the ICO.
The ICO received almost 16,000 complaints relating to SARs from April 2022 to March 2023. A spokesperson at the ICO commented that "many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests".
Key Points
We have highlighted some of the key points in the guidance below:
- A SAR does not have to be in a certain format in order to be valid. This is an important reminder for employers not to ignore or refuse to respond to SARs made informally or even verbally. Examples of SARs in the guidance include ‘Please send me my HR file’ and ‘What information do you hold on me?’ Ensuring staff understand what a SAR may look like and what to do when a SAR is received will be crucial to compliance. Consideration needs to be given by employers as to whether to treat requests such as those for copies of a HR file as a SAR, if the request does not mention the legislation.
- Employers can clarify the scope of the SAR, which may reduce the amount of information they need to send. However, if the individual does not respond, or refuses to narrow their request, this will not (of itself) extend the time for compliance. The employer still has to complete a reasonable and proportionate search for the information requested and respond fully without delay and, in any event, within one month of receipt of the original request (unless the SAR is particularly complex or onerous, in which case the response time can be extended to up to 3 months).
- Employers can refuse to comply with a SAR if it is ‘manifestly unfounded’ or ‘manifestly excessive’. The guidance sets out how employers should assess whether a request meets the required thresholds. Examples of each are given, but essentially, each request has to be considered on a case-by-case basis with reference to all relevant information. A blanket policy approach of when an employer can rely on manifest excessiveness is therefore discouraged.
- If responding to a SAR may result in third party information being disclosed, the employer may refuse to comply with it to the extent that (1) the third party information cannot be anonymised; or (2) the third party has not consented (although note, there is no obligation to seek consent and it may not always be appropriate to do so) and it is reasonable to comply with that part of the request without that third party’s consent. The guidance sets out the relevant circumstances that an employer must consider in order to determine what is reasonable. Specific guidance is provided for employers in relation to the disclosure (or otherwise) of documents that may include third-party information, for example, witness statements, whistleblowing reports and confidential references. Other exemptions may also be applicable.
- The right to personal information cannot be overridden by the individual having signed a non-disclosure or settlement agreement. Neither can a request be refused on the basis that the individual is going through a tribunal or grievance process and is likely to wish to use the information disclosed via the SAR as evidence.
What to take away
Dealing with SARs can be a difficult and time-consuming exercise for employers, particularly where the SAR is being used as a means of ‘evidence gathering’ where there is an ongoing internal dispute or employment tribunal claim. The guidance provides some welcome clarification for employers on their obligations and the rights of individuals under data protection law. It includes a number of helpful examples of what employers “must” (reflecting legal requirements) and “should” (reflecting ICO recommendations for best practice) do when responding to SARs from employees.
How Capsticks can help
Capsticks supports employers in meeting their obligations under the law relating to data subject rights by undertaking health-checks on policies, handling complex requests for disclosure of records, including preparation of redactions, and delivering training to staff at all levels.
We also support employers to deal with any complaints that may arise (by conducting investigations, supporting decision makers and HR, and defending any legal claims and ICO complaints).
If you would like access to advice, training or need further guidance on data protection and/or SARs (either generally or in relation to a specific case) please contact Andrew Latham, Lauren Danks, Saira Ramadan and John Lewis.