New ICO guidance for employers on subject access requests

During April 2022 and March 2023, the Information Commissioner’s Office (ICO) received over 15,000 complaints related to subject access requests (SARs). The ICO said employers regularly misunderstood the nature of SARs or underestimated the importance of responding to requests, and that organisations which fail to respond to SARs promptly, or at all, can be subject to fines or a reprimand.

In an attempt to support employers to respond to SARs in a proper and timely manner – and address the high number of complaints – the ICO has published new guidance for employers on dealing with SARs. The guide is a helpful tool for employers to assist with ensuring that they comply with their obligations under the UK General Data Protection Regulation and the Data Protection Act 2018 (DPA) when responding to requests for personal data.

The new guidance is in a question and answer format and refers to – and reinforces – the relevant parts of the ICO’s detailed subject access guidance. It highlights some of the common misconceptions that employers have when dealing with SARs and includes several helpful examples of what employers “must” (reflecting legal requirements) and “should” (reflecting “best practice”) do when responding to SARs from current and former members of staff.

The guidance covers topics, such as:

• The format for submitting a SAR – the guidance reminds employers that there are no formal requirements for a valid SAR. For example, they may be made via social media and do not need to include the words “subject access request”.
• The time limits for responding to a SAR – the guidance reminds employers of the applicable time limits set on responding to SARs and emphasises that a failure to comply can result in regulatory action, including either financial sanctions or reprimands.
• Manifestly unfounded or excessive SARs – the ICO has given an example of a “manifestly unfounded” request to support employers with identifying such requests. In practice, given the complexities associated with determining when a SAR will be “manifestly unfounded” or “excessive”, we recommend that legal advice is always sought.
• The ability to clarify requests – the ICO is clear that employers can ask staff to clarify the scope of their SAR, particularly if it is necessary to interpret the request in good faith and where the organisation holds a large amount of information about the member of staff.
• The ability to withhold certain information – the new guidance sets out quite clearly the DPA exemption for protecting the rights of others. Employers have a wide discretion to determine whether it is reasonable in all the circumstances to withhold or disclose third parties’ personal data which is combined with the requestor’s data. The guidance also covers the ability to withhold whistleblowing related information in circumstances where the whistleblower has made a protected disclosure which is genuinely in the public interest, in accordance with the Public Interest Disclosure Act.
• Complying with SARs made by employees going through grievance processes or a tribunal – the guidance is clear that compliance with a SAR is required irrespective of whether the requester has initiated a tribunal process or raised a grievance. In other words, employers must disregard the employee’s possible motive in making a SAR. However, it is recognised that if certain documents – such as witness statements – contain the personal data of third parties given in confidence then it may be inappropriate to disclose such documents.
• The inability to contract out of the right of access using a settlement agreement or non-disclosure agreement – the ICO is unequivocal that the right of subject access is an important right for individuals which “cannot be overridden” by a settlement or non-disclosure agreement. Limiting such rights under these agreements will be unenforceable under data protection legislation. That said, we often advise employers that, although such provisions are unenforceable, they can act as a useful deterrent.
• Managing requests for CCTV footage – the new guidance reminds employers that CCTV footage can contain personal data relating to members of staff and, as such, depending on the nature of the request, it may be necessary to search CCTV recordings when responding to a SAR.

Impact on Schools

As individuals are becoming more aware of their rights from a data protection perspective, we are seeing an increase in the numbers of SARs within the education sector from current and former staff. SARs from staff members can be particularly problematic for schools to respond to since they can involve high volumes of data, require the removal of third party data and relate to contentious employment matters.

The new guidance has helpfully clarified some common misconceptions in relation to SARs and serves as a useful reminder of the approach schools should take when responding to a request, but it does not materially change the legal position or “best practice” guidance from the ICO.

Given the possible impact of non-compliance, it is hoped that the further support from the ICO will make the process easier for schools to understand, navigate and, ultimately, assist with legal compliance.

Schools should familiarise themselves with the new guidance and, where applicable, review any existing employment policies and procedures which refer to SARs to ensure they align with the current data protection regime, and identify any areas of non-compliance.

On receipt of a SAR from a current or former member of staff, schools should continue to consider the request on its particular facts, consider any exemptions that may apply, and respond in a proper and timely manner (ideally with the benefit of legal support).

If you have any queries on the guidance, or SARs in the context of employees generally, please get in touch with Hannah Wilding.