More and more employees are exercising their rights in relation to SARs since the Data Protection Act 2018 came into force. Complying with requests can be very burdensome for employers so it is increasingly important that employers know how to deal with SARs efficiently and effectively.
The ICO has recently published detailed guidance on responding to SARs, which doesn’t alter the existing law, but provides further detail and clarification for employers and other data controllers. Here we look at some of the key points below.
Clarifying the SAR and ‘stopping the clock’
Generally, employers are required to provide a response to a SAR within one month of receipt. The new guidance confirms that if an employer processes large amounts of information about an employee, employers can ask them to specify the information they seek before responding to their SAR.
The time limit for responding to the SAR is paused until you receive clarification – this is known as ‘stopping the clock’ and can be useful for alleviating the pressure on employers to comply with the deadline. However, employers should take care only to seek clarification where it is genuinely required to enable them to respond to the SAR and where large amounts of information about the employee are processed. It should not be used on a blanket basis simply to buy more time in which to respond.
Employers should note that the clock only stops where clarification is sought about the information requested. It does not stop where employers seek clarification on any other matter, such as the format of the response.
In most situations, an employer cannot charge an employee a fee for responding to their SAR. However, the new guidance clarifies that a ‘reasonable fee’ can be charged to the employee for the administrative costs of complying with the SAR, if it is manifestly unfounded or excessive, or the employee makes a request for further copies of their data following the SAR.
Whilst the new guidance does not provide suggestions as to what a reasonable fee might be, it does provide useful examples of what it may include. Such examples consist of photocopying, printing and posting costs, envelopes, USB devices and staff time spent on complying with the SAR.
The new guidance is likely to be welcomed by employers dealing with large numbers of SARs. However, employers should ensure that fees are reasonable, proportionate and are applied in a consistent manner and can be justified if a complaint is made to the ICO.
‘Manifestly unfounded’ or ‘manifestly excessive’ SARs
As an alternative to charging a reasonable fee, employers can refuse to comply with a SAR (wholly or partly) if it is manifestly unfounded or manifestly excessive. The new guidance provides examples where a SAR might be deemed manifestly unfounded, including where the SAR is malicious in intent and has no real purpose other than to cause disruption to the employer.
With regards to a SAR being manifestly excessive, the guidance confirms that employers need to consider whether the request is clearly or obviously unreasonable. In doing this, an employer needs to consider whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. However, a SAR is not always excessive just because the employee requests a large amount of information. Employers must take into account all of the circumstances of the request and should be prepared to provide justification as to why they deem a SAR to be manifestly unfounded or excessive.
SARs and Employment Tribunal claims
SARs can be a useful tool for employees who may wish to bring Employment Tribunal claims and some may use them as ammunition for making a claim. This is particularly so in the current climate when many employees may be aggrieved about losing their jobs or how they have been treated during the pandemic, as evidenced by the huge backlog of such claims. SARs are often made when there is an existing employment dispute but before proceedings are issued. However, an employee cannot generally delay issuing a claim just because an employer has not replied to the SAR in time and the normal time limits will still apply.
Employees do not always appreciate that they are only entitled to their own personal information in response to a SAR and employers may legitimately redact information which is not the employee’s personal information. Employers may also be able to withhold documents containing third party information. This can severely limit the information employees obtain in response to a SAR and the information obtained may therefore be less useful to an employee than anticipated.
Employees may therefore have to wait until the disclosure stage in Employment Tribunal proceedings before they get the documents they seek, as at this stage employers are obliged to disclose all information that is relevant to the claim itself, rather than just the employee’s personal information.