The Information Commissioner’s Office (ICO) has published new guidance for businesses and employers on responding to subject access requests (SARs), helping them to comply with a SAR and to answer commonly asked questions by employers.
Background
The right of access, known as a subject access request (SAR), gives employees the right to obtain a copy of their personal data. In the context of employment, it allows employees a right to access the personal data that their employer or former employer holds about them. Ordinarily, a SAR request must be responded to within one month of receipt of the request save where it is considered complex, in which the period can be extended by a further two months.
The guidance
The new guidance from the ICO reinforces the existing guidance on the right of access, whilst providing information on the key requirements to comply with a SAR. It also includes some helpful clarifications on the following areas that employers should be aware of when complying with a SAR request:
The formatting of a SAR request
No formal requirements need to be met to submit a valid request. This means that a SAR can be submitted in a variety of different formats including, verbally, in writing, on behalf of someone else and extending to include requests via social media. The request does not need to be directed at a particular person, contact point or department within the organisation.
When an SAR request can be refused
The UK GDPR identifies exemptions from a worker’s right of access that allows employers to withhold some or all personal data. In their guidance, the ICO outlines the following exemptions that employers should consider:
- Where disclosure includes information on someone other than the requester;
- Where disclosure concerns confidential references;
- Where disclosure concerns confidential communications between lawyers and clients;
- Where disclosure concerns personal information on crime and taxation; and
- Where disclosure concerns management information that is likely to prejudice business.
A request for a SAR can also be refused where it is ‘manifestly unfounded’ or ‘manifestly excessive’.
- A request may be manifestly unfounded where the employee has no intention to exercise their right of access, or the request is malicious in intent, where the primary purpose is to cause disruption
- A request may be manifestly excessive where the employer considers it clearly or obviously unreasonable.
The role of non-disclosure or settlement agreements
The guidance also confirms that a worker right to access cannot be overridden by settlement or non-disclosure agreement. As such, signing a settlement agreement which includes a clause stating that any SAR is withdrawn and no new SAR will be submitted, will not waive the employee’s right to access their information. Where a settlement agreement includes such a claim then it is likely that this part of the agreement will be unenforceable under data protection legislation.
The impact of tribunal or grievance proceedings
A SAR cannot be refused solely on the basis that an employee is undergoing a grievance or tribunal process and the employer believes they intend to use their personal information for litigation purposes. If the employer intends to withhold information they must demonstrate the exemption they are using to refuse the request and provide reasons.
Best Practice
It is important that employers are aware of the ICO’s recent guidance that repeats and consolidates much of the advice that has already been published. Our advice would be for employers to designate a specific person, team and email address devoted to dealing with requests for SARs. This will reduce the possibility of a SAR request being missed and not complying with the statutory deadline. As set out above, the ICO also states that a SAR does not need to include the phrases ‘subject access request’ or an explicit reference to GDPR. This presents a challenge to employers and encourages individuals within the organisation to be trained to identify SARs, allowing employers to tackle and comply effectively.
The ICO also places great emphasis on considering these requests on a case-by-case basis. Accordingly, a request should not be refused solely on the basis that it requests large amounts of information. We advise that all the circumstances of the SAR are noted, requesting further clarification to help make reasonable searches for the information and streamline the request where necessary.
If you require any advice on compliance with SARs or would like assistance in reviewing your policies or processes for dealing with SARs, please contact our Employment Team.