Responding to a Subject Access Request: New ICO Guidance for Employers
The Information Commissioner’s Office (ICO) has recently published new guidance to help employers respond to subject access requests (SARs). The Q&A-style guidance reminds employers of their key obligations and addresses some of the common misunderstandings that organisations have.
It comes after the ICO received over 15,000 complaints relating to SARs between April 2022 and March 2023 and their more recent action against Plymouth City Council and Norfolk County Council for failing to respond to requests on time.
What is a SAR?
Under the UK General Data Protection Regulation (GDPR), individuals have the right to obtain a copy of their “personal data” from their employers, including details of where it came from, how it is being processed and who it is being shared with.
The GDPR’s definition of “personal data” is deliberately wide and captures any information by which an individual is directly or indirectly identifiable.
Identifying the SAR
The first step in responding to a SAR is identifying that it has been made.
An individual does not have to submit a SAR in any particular format, meaning it could be made verbally, in writing or even through social media. In addition, the request does not have to identify itself as a “subject access request” or be directed to any specific person within the organisation. The new ICO guidance confirms that questions as simple as “what information do you hold on me?” or “please send me my HR file?” will amount to SARs.
To minimise the risk of a SAR going undetected, the new guidance recommends that employers should have a designated person, team and email address to receive SARs.
Acknowledging or clarifying the SAR
Having identified that a SAR has been made, it is good practice for employers to acknowledge receipt of the request.
Alternatively, an employer may ask an individual to clarify the scope of their request if they process a large amount of their personal data and clarification is necessary to respond to the request. This might be the case where, for example, a long-standing employee requests all of their personal data, but clarifying the request could reveal that they are only seeking information about their latest appraisal.
Responding to the SAR
An employer must make reasonable efforts to retrieve the personal data requested. Depending on the nature of the request, this could include searching email inboxes, HR files, call recordings and hard copy notes.
Once an employer has identified the information that it must disclose, they should supply this to the requester in a commonly used electronic format (if the request was submitted electronically) or in any commonly used format (if the request was submitted non-electronically). It must be provided in a concise, transparent and intelligible manner.
Withholding information or refusing to comply with the SAR
An employer may withhold information from their response if it falls under one of a limited number of exemptions. These exemptions include information about other people, management information which would be likely to prejudice the conduct of business or confidential communications between the employer and its legal advisers. However, each exemption must be applied on a case-by-case basis and the employer must document their justification for relying on it.
Where an employer does withhold information, they should seek to be as transparent as possible. However, in some circumstances, it will not be appropriate to tell the requester that information has been withheld (for example, where this would prejudice the purpose of the exemption).
An employer may also refuse to comply with a SAR altogether where it is manifestly unfounded or manifestly excessive. A request may be manifestly unfounded where it is made solely to disrupt the business or may be manifestly excessive where it is obviously unreasonable in the circumstances.
It is important that employers consider all of the circumstances before concluding a SAR is manifestly excessive, such as the nature and context of the request and their own resources. A request will not be manifestly excessive just because it requests a large amount of data or will be difficult to comply with.
Other FAQs in the new guidance
The new ICO guidance also answers a number of other frequently asked questions about responding to SARs. In particular, employers should be aware that:
- An employer must search social media platforms and messaging applications such as Facebook, WhatsApp and Microsoft Teams if these are used for business purposes and fall within the scope of the request
- An employer must disclose CCTV footage if this falls within the scope of the request, but must also redact any third party personal data where this appears within the footage
- An individual can make a SAR during a grievance or Employment Tribunal procedure
- A settlement agreement purporting to prevent an employee from making a SAR is unlikely to be an effective waiver of this right
An employer should respond to a SAR without undue delay and, at the latest, within one month of receipt of the request. Where an employer requests clarification of the request, the clock will be “paused” for the purposes of this time limit.
It is possible to extend the one-month deadline where the request is complex and/or the individual makes a number of requests (such as access and erasure). Whether a request is “complex” will depend on the circumstances, such as how difficult it is to retrieve the data, how much information needs to be redacted and the need to obtain specialist legal advice.
An employer will not normally be able to charge a fee for responding to a SAR.
Consequences of non-compliance
If an individual is unhappy with the response they receive, they should work with the employer to resolve this. However, if no resolution can be found, they may raise a complaint with the ICO.
The ICO has the power to take action where the employer has failed to comply with their obligations, which may take the form of a warning, reprimand, enforcement notice or penalty notice. An individual may also claim compensation where they have suffered damage or distress arising from an infringement of their right of access. Finally, where an employer destroys or conceals personal data in order to avoid disclosing it to the requester, this may amount to a criminal offence attracting criminal sanctions.
As such, it is in an employer’s best interests to respond to a SAR promptly, fully and transparently at all times.
Disclaimer: General Information Provided Only
Please note that the contents of this article are intended solely for general information purposes and should not be considered as legal advice. We cannot be held responsible for any loss resulting from actions or inactions taken based on this article.
Request a call back
We’ll arrange a no-obligation call back at a time to suit you.