Subject Access Requests – An update for employers

From April 2022 to March 2023, the UK Information Commissioner’s Office (ICO) received 15,848 complaints related to the right of subject access. This highlights how important it is, as an employer, to be up to speed on the law and procedure associated with subject access requests (SARs).

Here, Rosehana Amin and Rob Hill, partners from our cyber & data privacy, and employment teams respectively discuss what you need to know about SARs as an employer and highlight new guidance, which gives useful clarification, although still leaves uncertainty in some areas.

A reminder:

What is a SAR?

SARs are governed in the UK by the UK GDPR and the Data Protection Act 2018 (DPA). Article 15(1) GDPR states:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…”

Under the EU GDPR and UK GDPR, employees (amongst others) have the right to access their personal data and supplementary information and be informed by their employer organisation whether or not it is processing their personal data.  

An individual can request a SAR verbally or in writing, including via social media, and can include:

• Confirmation that you are processing their data
• Access to their personal information
• A request for confirmation of the lawful basis on which you are processing their data
• Information on the period for which you will store their data
• Any relevant information about how the data was obtained
• Any relevant information about automated decision-making and profiling
• Names of any third parties you share their information with

TIP: The UK GDPR does not set out formal requirements for a valid request, it may therefore be useful to train staff to spot a verbal and non-verbal SARs, and the process on how to escalate a SAR to the relevant people. 

Respond without undue delay

SARs must be responded to “without undue delay,” and at latest, within one month. If requests are numerous or complex, you can extend the deadline by two months, but must explain why this is necessary. However, a request for clarification in respect of the SAR stops the clock running until the requested clarification is provided. 

TIP: Diarise deadlines, ensure that you know when the clock has started to run for the purposes of responding to the SAR. Before responding, ensure you are satisfied or have verified the identity of the requester. The timescale for responding does not begin until you have received the requested information to verify the identity of the requester but you should request information promptly.

Reasonable efforts

Remember that the ICO says that you should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. 

TIP: Keep a record of the decisions you make when determining proportionality. A sensible data retention policy can help to limit the number of documents to be reviewed.

Recent clarification

The ICO recently published new guidance for employers, in the form of question and answer pages on its website. The new guidance aims to clarify common misunderstandings and highlight the importance of responding to SARs. Whilst it does repeat much of the existing guidance, it covers some common questions employers may have about SARs, including:

• When can employers withhold information?
• Employers can only refuse to comply with a SAR when a request is manifestly unfounded or excessive, or if there are any applicable exemptions. The standard for “manifestly unfound” is high and the guidance lists some non-exhaustive criteria, which may help employers in determining whether a request may be manifestly unfound, for example:
  • The employee clearly has no intention to exercise their right of access
  • The request is malicious in intent and is being used to harass the employer organisation with no real purpose other than to cause disruption
• The guidance also provides factors to take into account when determining whether a request is manifestly excessive, including:
  • The nature of the requested information
  • The context of the request
  • Your available resources
• The guidance gives examples of exemptions, which can be relied upon by employers in certain circumstances to refuse to comply with a SAR, for example;
  • Providing information about other people
  • Whilstleblowing reports
  • Confidential references
  • Legal professional privilege
  • Personal information that is included in a record of your negotiations with an employee
  • Management forecasting
• It is important to apply an exemption on a case-by-case basis and justify and document your reasons for relying on them. 
• TIP: Information that is not within the scope of the SAR can be redacted. Remember to redact information in relation to another person because disclosing personal information in relation to a third party may well breach data protection legislation.
• Disclosing non-work related personal information 
• The new guidance highlights that organisations should have policies and procedures in place so that employees are aware of what they can and can’t do on the IT system. For example, a reasonable use or a personal use policy. 
• Ultimately it is for the employer to determine whether the information requested constitutes “personal information” under the SAR, however the guidance provides some points to consider, including:
  • Just because the contents of the email are about a business matter, this does not mean that it is not the requester’s personal information
  • Just because a requester receives an email, it does not mean the whole content of the email is their personal information
  • Context is the key to making a decision.
• Searching social media
• If the employer organisation uses social media platforms, then you are the controller for the information processed on those pages and you must search these pages for any personal information, if it falls within the scope of a SAR.

The new guidance contains some helpful worked examples and will be a useful document to have to hand when dealing with SARs. It does, however, still leave a number of areas of uncertainty for employers. 

As noted above, employers may be able to refuse a SAR on the basis it is manifestly excessive. Although the guidance provides advice on how to respond to an excessive request, further guidance for employers would have been helpful. The example given relates to a small business with just four members of staff and the position would be different for larger employers, and those with significant resources, who should treat this advice with caution and seek advice where appropriate. 

An exemption, referred to above, may apply where employers process personal information for management forecasting or planning about a business or other activity. Employers can refuse to provide this information if disclosure is likely to prejudice the conduct of the business or activity. The example in the guidance refers to a redundancy situation, which is the same as the ICO’s previous example (in their guide to exemptions). It would, however, have been helpful if the guidance had provided clarity for employers on additional situations (other than redundancy) where they could withhold data under this exemption.

Failure to comply

Failure to comply with a SAR may result in supervisory authorities taking enforcement action, which may include enforcement notices, reprimands, and fines. The individual who requests the SAR may also apply for a court order requiring compliance, and depending on the circumstances, the court could order a compensatory award.

Reform and the Data Protection and Digital Information Bill

The UK government is currently in the process of reforming data protection legislation in the UK, and replacing the UK GDPR, following Brexit. The new Data Protection and Digital Information (No. 2) Bill (the Bill) has been published and is currently working its way through parliamentary process, to become new law.

The Bill currently makes minimal changes to the rules regarding SARs. When changes are made, these are done so in an attempt to provide further clarification when dealing with issues such as the time to respond, and how to handle requests which may be vexatious and excessive. 

In a recent speech, the UK Information Commissioner, John Edwards, highlighted that SARs are an “important tool for individuals exercising their data protection rights”. He sought to reassure that the basic right for anyone to request information about themselves is not changing as a result of legislative reform.