ICO’s Subject Access Request Guidance and What it Means for Employers

Following more than 15,000 subject access complaints to the Information Commissioner’s Office (ICO) last year alone, the ICO has issued updated guidance to assist employers in responding to subject access requests.

A subject access request (SAR) gives an individual the right to request a copy of the personal information that is held about them by an organisation – that can include HR records, emails and other internal communications about them which are held by their employer.

While not a new right, since the introduction of the GDPR (General Data Protection Regulation) in 2018, we have seen the number of SARs received by our clients skyrocket, and the process of responding to these requests has become increasingly complex given the range and amount of information that employers now hold about their employees.

Against these trends, the ICO – which has regulatory responsibility for data protection matters in the UK – has issued updated guidance surrounding SARs to set out its expectations regarding the steps that organisations should take to comply with the requests they receive.

While the ICO’s guidance provides some helpful practical insight – namely through the case study examples included in its accompanying Q&A document – it largely represents a consolidation of previous guidance that the ICO had published on its website.

The key points for employers to note are:

1. There is no formal process required to make a valid SAR and requests can be made verbally or in writing (including via social media). The request can also be validly directed to any individual within the organisation meaning that it is important that all staff are able to recognise a SAR and ensure that it is passed on (whether that is to the organisation’s HR team, legal team or designated data protection officer) to be dealt with as soon as possible.
2. The ICO emphasises the strict time requirement (usually one month) for responding to SARs that employers must be aware of and stick to or risk facing the possibility of regulatory action, including financial sanctions or public reprimands. Importantly, the guidance notes that it is open to organisations to seek clarification as to what specific information the individual making the SAR is looking for and confirms that the period to respond to the request will not begin until that clarification has been provided.
3. The guidance mentions there are certain circumstances in which a SAR can be refused – namely where the request is manifestly excessive or unfounded.  However, the guidance does stop short of setting out a clear threshold at which point a request can legitimately be refused – for example, the guidance doesn’t say that a SAR may be refused if responding will involve searching through and reviewing more than a particular number of documents.
4. In the Q&A section of the guidance examples are given of exemptions that may apply and which allow for certain pieces of information requested to be withheld from the response to SAR. This includes information that contains the data of third parties (e.g. in the case of a witness statement in relation to a workplace investigation), material that is legally privileged, confidential references or information relating to management planning.
5. In the guidance, the ICO sets out its view that an individual’s subject access rights will prevail over any attempt to contractually restrict those rights (e.g. a contract that requires an individual to withdraw any “live” requests or agree to not make any future requests). However, it is important to note that the enforceability of such clauses is ultimately a matter for the courts to determine. As such, without a judicial decision on the matter, employers may still wish to include clauses in settlement agreements that aim to deter departing employees from making any future subject access requests.

While the updated guidance issued by the ICO does provide a useful reminder of the general principles for employers to bear in mind when responding to SARs, it does little to address the difficult position on which our clients often find themselves – being faced with responding to a SAR that involves searching through a huge volume of data and which has been made by an employee (or former employee) against the backdrop of a workplace dispute or employment tribunal claim.  It is in these situations where our team’s input at an early stage proves to be incredibly valuable for our clients.  Our pragmatic approach – informed by our employment law expertise as well as our significant experience in advising clients on the handling of employees’ SARs – aims to help organisations strike a balance between the need to comply with a SAR without putting a costly or disproportionate burden on the teams responsible for dealing with the request.

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.