June 8, 2023

Subject access request 101: ICO’s guidance for employers

Posted in Employment, GDPR
Employee data

On 24 May 2023, the Information Commissioner’s Office (‘ICO’) published new guidance for employers on how to deal with a Subject Access Request (‘SAR’).

This takes the form of a Q&A webpage and was inspired by an influx of employers who “are misunderstanding the nature of [SARs], or underestimating the importance of responding to requests”, as Elanor McCombe, Policy Group Manager at the ICO explains. There was clearly some uncertainty that needed addressing. By way of reminder, a SAR is a request made by an individual to obtain a copy of their personal data which is being held or used by a business.

Policies and procedures

Last year, the ICO received a total of 15,848 complaints relating to SARs. The ICO has not been shy about utilising its powers to enforce proper compliance – just this month, it reprimanded both the Plymouth City Council and Norfolk County Council for failing to adequately respond to SARs.

Norfolk County Council had failed to respond to 49% of SARs in time between April 2021 and April 2022. Plymouth City Council had only replied to 77% of their SARs in 2022-2023 within the requisite timeframe, with some SARs still waiting review 2 years after they had been made.

No fines were issued but the ICO publishes enforcement action on its website in a manner akin to ‘naming and shaming’. This poses the risk of reducing trust amongst your workforce and the public, and causes reputational harm. Therefore, whilst businesses may not always suffer a financial consequence following a failure to respond to a SAR, the effect of the ICO’s other enforcement powers (including reprimands) should not be underestimated.

This past month’s reprimands are also a stark reminder for anyone who receives a SAR, but especially employers and business owners, as to how crucial it is to have a process in place to deal with these requests quickly, efficiently and in line with this most recent guidance. This includes the technical ability to search for and locate the relevant data to comply with a SAR.

It is not worth risking the fine or sanction where failings to comply with the request can be avoided by ensuring internal policies are robust and fit for purpose. If you are uncertain about whether your own internal procedures are up to standard, please do not hesitate to get in touch with a member of our Data Protection Team, who would be happy to assist.

Settlement agreements

The guidance confirms that it is not possible to restrict a current or former employee’s  access rights within a settlement agreement i.e. agreeing to withdraw a SAR or not to make one in the future in exchange for a settlement payment. It may be that the data subject is content with the settlement figure and, once an agreement has been reached, no longer has a reason to make a SAR, but their right to do so cannot be curtailed.

There are commercial reasons behind wanting to ‘future proof’ such agreements but doing so is unlikely to confer a practical benefit for the employer, or save it time in the longer term. The ICO will likely take a dim view and may opt to watch an organisations’ data protection practices more closely.

The right to refuse a SAR is limited in contrast to the right of access which is fundamental. We therefore advise careful consideration when engaging in settlement talks and if you have any questions about this, or how to respond to a SAR as an employer, a member of our Employment Team would be happy to discuss.

If you are interested in reading the new guidance, it is available here.

Looking Ahead

The ICO are currently reviewing responses to their consultations on “Employment Practices Guidance – Information about Workers’ Health”, which deals with workers’ health information, as well as “Draft Employment Practices: Monitoring at Work Guidance and Draft Assessment”, which covers monitoring at work. Their findings will be reported on this page in due course.

Articles from this area:

View more articles related to Employment and GDPR