Navigating the Subject Access Request (SAR) minefield
The latest guidance from the Information Commissioner’s Office (ICO) provides helpful pointers for navigating the regulatory pitfalls of a SAR.
For employers confronted with a subject access request (SAR), the latest guidance from the Information Commissioner’s Office (ICO) provides helpful pointers for navigating the regulatory pitfalls surrounding subject access requests.
From April 2022 to March 2023, the ICO received over 15,000 complaints in relation to how organisations have handled subject access requests and, unfortunately, a large number of these complaints fall on the shoulders of employers. Many employers “underestimate” the importance of handling subject access requests effectively. As failing to comply with a SAR can result in undesirable consequences, reprimands and significant fines, the latest recommendations from the ICO can help save employers significant strife.
Under the UK GDPR, an employee has the right to obtain information from their employer as to whether their personal data is being processed and, if so, is entitled to a copy of their personal data should they request this. Typically, employers should respond to a subject access request within one month, although this can be extended where the request may be complex. Responding to a SAR promptly and effectively is key given the time consuming nature of complying with a request, especially where an employer holds data on an employee spanning over a number of years. The latest guidance from the ICO provides a number of practical examples that employers can follow to ensure they remain GDPR compliant and protect themselves from unpleasant interactions with the ICO.
1. Recognising requests
The ICO reiterate that a SAR can be submitted in a variety of formats, including verbally, in writing or via social media. Additionally, employees do not need to clearly state they are making a subject access request for a request to be valid. The ICO offer examples of an employee asking, “what information do you hold on me” or “please may I have my HR file” (questions commonly heard by line managers and HR teams) as valid subject access requests. Many employers may have a designated team or individual to handle such requests, but the guidance illustrates the importance of regular employee training in order to ensure requests are identified and addressed promptly.
Responding to a SAR can be a time consuming undertaking, particularly in situations where a lot of personal data has been processed or the personal data of others need to be redacted, and identifying requests as swiftly as possible will provide the best opportunity to process the request within the one month time limit. The guidance confirms that an employer can request that employees clarify what information they want where they have made a broad request and should carry “reasonable” searches where an employee refuses to narrow their request.
2. “Manifestly unfounded/excessive” requests
Employers can refuse to comply with a request which is manifestly unfounded or excessive, but the ICO consider this a very high bar to meet. The guidance helpfully reaffirms that a request is manifestly unfounded in cases where it is clear an employee does not genuinely seek to exercise their rights to their personal data or is looking to cause disruption. To illustrate, the ICO provides the example of a redundant employee offering to withdraw their request in return for an increased financial reward. Employers can therefore consider the nature and purpose of the request when deciding to comply.
For manifestly excessive requests, the ICO confirms employers should consider whether a request is unreasonable, basing this on whether the request is proportionate when balanced with the burden or cost involved in dealing with the request. The ICO guidance is particularly beneficial to small businesses, offering an example of a business with 4 members of staff receiving a SAR involving over 3,000 emails, suggesting that it would be reasonable to consider categorising information and providing this as a summary where the requester has not narrowed down their request. However, for larger organisations with greater resources, this may not be a reasonable course of action. The guidance makes it clear that a request is not excessive simply because it is large, and that context plays a significant role in determining whether a request is excessive. Employers need to consider the nature of the request, the availability of resources and whether the request can be clarified or narrowed. If an employer decides a request is manifestly excessive, the reasons for this conclusion must be clearly documented and communicated to the employee.
The latest guidance provides practical examples of a number of exemptions that employers may rely on when deciding to withhold information in a SAR. For example, employers can withhold information relating to management planning where this would prejudice the conduct of the business. The ICO provides the example of a company considering restructuring and redundancies which would not require to disclose information regarding this in a SAR as this may prejudice the plans of the business. It is also suggested that employers may withhold witness statements from ongoing disciplinary investigations, particularly where it is necessary to maintain the confidentiality of witnesses. The guidance reaffirms that personal data regarding ongoing negotiations with the employee can be withheld. The guidance notes that this would encompass on-going settlement agreement negotiations as disclosing this information in a SAR would prejudice negotiations.
Additionally, the guidance reaffirms key obligations in regard to SARs confirming that the right to obtain personal information cannot be overridden by a settlement agreement, employers cannot simply refuse to comply if the employee making the request is undergoing a grievance or Tribunal process and that UK GDPR applies to social media activity (including instant messaging groups such as WhatsApp) carried out in a commercial or professional context.
Whilst the guidance provides a number of helpful scenarios, there remains room for ambiguity. For example, there is limited guidance for larger businesses on what constitutes a “manifestly excessive” request. Furthermore, what classes as a “reasonable search” remains unanswered by the ICO leaving this open to interpretation where an employee refuses to narrow their request.
The Employment Team at Clarke Willmott regularly assist employers with their GDPR and SARs and would be pleased to assist with queries relating to subject access requests made by employees. Please do not hesitate to contact us if you have any queries.