Latest Guidance for Employers from the ICO

A set of documents is available for responding to subject access requests, including a standard form for employees to make the request (note, however, that you cannot make this a prerequisite, only an option), and letter templates for the various stages in responding to a subject access request including a letter acknowledging the request, a letter requesting further information, and a letter requesting an admin fee and/or more time to respond (note the strict limitations on your ability to do this, however, as set out below).

The Right of Access under the UK GDPR

Under the UK GDPR, individuals have a range of rights relating to their personal data. Key among those rights is the right of access, which entitles the individual to receive a copy of their personal data along with other relevant information. The right of access is exercised by means of a subject access request or SAR. In the employment context, SARs can be made by employees to access the personal data their employer holds about them.

A subject access request can take many forms (verbally or in writing) and may be made in a variety of ways. There is no prescribed form (you may provide one to make things easier, but cannot make it mandatory). It is therefore important that you are able to recognise SARs and can respond accordingly.

An individual employee may make a SAR themselves, or they may have a third party make it on their behalf. Both are valid, but if the request is made by a third party, you must ensure that they are genuinely acting on behalf of the individual and with their consent.

You must respond promptly and, in any case, within one month of receipt of the SAR. This time limit may be extended in certain circumstances, for example, if the request is complex or the individual has made a number of requests. You may also need to verify the individual’s identity (although, we would suggest that this is less likely to be an issue in the employment context), in which case, the time limit for responding to the SAR will not start counting down until you receive proof of ID.

Even if a request is complex (or you receive multiple requests from the same individual), or you require proof of ID, you must respond promptly to the SAR, explaining why more time is needed or to request proof of ID. This should be within one month of receipt, irrespective of additional time you may need.

In most cases, you must respond to SARs free of charge. A reasonable fee may be charged in limited cases if a request is manifestly unfounded or excessive or if the individual requests further copies of their personal data.

As explained in more detail below, you must make reasonable efforts to find and retrieve the information the individual has requested. This means that you do not have to conduct searches which are unreasonable or disproportionate to the importance of providing access to the information. However, this should not be taken as an easy way out of providing a full response.

Your response to a SAR should include a copy of the individual’s personal data that you hold and certain supplementary information, which is largely the same information that should be included in your privacy policy or notice. If the SAR is made electronically, you should provide the information to the individual in a commonly used electronic format unless they request otherwise. Alternatively, if requested, a verbal response may be acceptable, and a record of the request and the response should be kept. Whatever method is appropriate, security should always be maintained.

There are some grounds for refusing to comply with a SAR. In some cases, exemptions apply (see below and Schedules 2 and 3 of the Data Protection Act 2018 for more detail), and you may also be able to refuse to comply if the request is manifestly unfounded or excessive (but this ground should be construed narrowly and not used as an excuse for not complying).

In many cases, particularly in an employment context, personal data about one individual may also incorporate or relate to information about others. The simplest option is to respond to the SAR without disclosing information about anyone else, but if that is not possible, you should attempt to obtain the consent of the other individual(s) concerned. Failing that, you may decide that you should not comply with the request or proceed without the consent of the other individual(s). In either case, your decision and the reasoning should be documented.

New Guidance from the ICO for Employers Handling SARs

The Information Commissioner’s Office published new guidance for employers in May 2023 on the handling of SARs. Employers inevitably handle large amounts of personal data relating to their employees and as people become more aware of their rights surrounding privacy and data protection, it is more important than ever to be up to speed on the correct handling of SARs as an employer.

Moreover, the COVID-19 pandemic, the resulting upsurge in home working, and the continuing high levels of home and hybrid working has led to greater amounts of personal data being generated and held by employers. Understandably, employees are more likely to take a more guarded approach to information that concerns their private homes, even where that information is work-related.

The new guidance covers a number of topics, some of which are addressed above, such as recognising a SAR (which could be as simple as a verbal request for an HR file), and responding in a particular format. The ICO’s guidance is presented in a helpful Q&A format, and is available in full here. Below, we look at some of the key points.

Clarifying Requests

Partly because of the broad range of requests that qualify as SARs, and partly because an employee may not fully understand what the right of access entitles them to, you may need to ask for further clarification. This is permissible, provided the need is genuine and not used as a stalling tactic. The ICO states that clarification should only be sought if:

• It is genuinely required in order to respond to the SAR; and
• You process a large amount of information about the employee.

Withholding Information – Exemptions

As noted above, there are exemptions which relate to SARs, but these are limited in scope. You can also refuse to comply if a request is manifestly unfounded or excessive. The ICO’s guidance also sets out other scenarios in which it may be acceptable to withhold information. If you do decide that you shouldn’t comply with the SAR, you will need to decide whether or not to inform them that you are withholding the information. If it would prejudice the purpose of the exemption, it may be justifiable to avoid doing so, but the ICO emphasises that you should be as transparent as possible. The exemptions and scenarios include (but are not, as the ICO explains, limited to):

• Information about other individuals. The ICO uses the example of a request by an employee for their HR file in order to see why they were not awarded a pay increase. This would include meeting notes which would reference the HR department, the employee’s manager, and other staff. An acceptable response in this case would be to redact the details about the performance of other employees while retaining information directly relating to the employee making the SAR.
• Witness statements. These may be relevant in cases such as disciplinary investigations and will often include details of more than one individual. Disclosing information about others in SAR responses is covered above, but the ICO provides some helpful factors to consider when deciding whether or not to disclose information without consent:
  • - The reasonable expectations of the other individual(s) and, particularly, any duty of confidence you owe to them;
  • - Any express refusal of consent by the other individual(s) or indeed whether or not they are capable of giving consent;
  • - The nature of the information to be disclosed; and
  • - In the employment context, factors such as the individual(s) seniority or job role. The ICO suggests that it is more likely to be reasonable to disclose information about someone acting in a professional capacity than a private one.
• Whistleblowing reports. A whistle blower’s report will likely include information about others, including informants and witnesses. In a whistleblowing situation, the ICO states that you must balance the requester’s right of access against the rights of the whistle blower. Additional legislation also applies here in the form of the Public Interest Disclosure Act 1998. In addition to managing data protection considerations, businesses can benefit from having a suitable policy, such as our Whistleblowing Policy template, in place.
• Confidential references. A common form of SAR from an employee can be a request for references. These may be references that you have provided to other businesses, or they may be references that you obtained from others when the employee joined your organisation. The UK GDPR makes confidential references exempt only where they are provided for the following purposes (whether you are giving or receiving the reference):
  • - Education, training, or the employment of an individual;
  • - An individual working as a volunteer;
  • - Appointing an individual to office; or
  • - The provision of a service by an individual.

If it is unclear whether or not a reference is confidential, SARs should be considered on a case-by-case basis.

• Legal professional privilege. This may apply to confidential communications between lawyers and clients.
• Crime and taxation. This applies to personal data being processed for:
  • - The prevention or detection of crime;
  • - The apprehension or prosecution of offenders; or
  • - The assessment or collection of a tax or duty or an imposition of a similar nature.

This may be relevant, to use the ICO’s example, where an employee has been accused of assaulting a colleague at work and the police are investigating the matter. If the employee makes a SAR for CCTV footage of the alleged assault, you may decline on this basis.

• Management information. Where personal data is processed for management forecasting or business (or other) activity planning and the disclosure is likely to prejudice the conduct of business or such other activity, you may rely on this exemption.
• Negotiations with the individual making the SAR. It is important to note that this exemption only applies if complying with the SAR might prejudice the negotiation. This would likely only apply while the negotiations are ongoing. Moreover, you must justify your use of the exemption and explain how complying with the SAR would prejudice the negotiations. This may apply, to use the ICO’s example, if you are negotiating a severance package with a worker which requires them to waive their rights to make a claim in an employment tribunal. If the SAR is made during the negotiations, the exemption may apply. If another is made after the settlement is agreed, it will likely not.

The final two exemptions have been mentioned above and can apply in many situations, including those outside of an employment scenario. These are the SAR being manifestly unfounded or manifestly excessive.

• Manifestly unfounded. A request may be deemed manifestly unfounded if the individual clearly has no bona fide intention to exercise their right of access or if their SAR is malicious in intent and being used to harass your business and cause disruption. The ICO suggests that the following factors may indicate malicious intent:
  • - Making unsubstantiated accusations against the business or against other employees which are obviously prompted by malice;
  • - Targeting a particular employee against whom the individual has a personal grudge; or
  • - Methodically sending different requests as part of a campaign intended to cause disruption.

All SARs should be carefully considered. A malicious tone to a request, for example, does not necessarily mean that it is “manifestly unfounded” for the purposes of the law.

• Manifestly excessive. Again, it is important to carefully consider all SARs and this ground only applies if the request is clearly or obviously unreasonable. The ICO suggests taking account of the following:
  • - The nature of the information being requested;
  • - The context of the request and your relationship with the individual making it (employer-employee, in this context);
  • - The impact your refusal to comply may have on someone, for example, substantive damage caused by complying or even acknowledging that you hold the personal data in question;
  • - The resources you have available to process the SAR;
  • - Whether or not the SAR is repetitive of others received previously and a reasonable time hasn’t passed between them (consider here, for example, the nature of the information and how often it is updated or changed); or
  • - Whether or not the SAR overlaps with others.

Complying with SARs if Employees have signed NDAs or Settlement Agreements

The ICO makes it clear that you must still comply in such cases. The right of access cannot be overridden by such agreements and any attempt to do so in their drafting would likely be unenforceable.

Complying with SARs during Tribunals or Grievance Procedures

Individuals still have the right to access their personal data in such situations. As an employer, for example, while it may be undesirable to disclose information that you believe an employee intends to use against you in litigation, this does not give you the right to refuse the request.

SARs can only be refused if one of the grounds explained above applies. Moreover, even if there is overlap with information disclosed for other reasons or purposes, an SAR should still be fully complied with. As should always be the case when handling SARs, the request should be carefully considered in light of all the relevant circumstances and all information that the individual is entitled to should be provided unless an exemption applies. If an exemption does apply, as repeated above, this should be carefully thought out and documented.

Non Work-Related Personal Data

Care should be taken in a variety of ways to deal with personal data of this kind. For example, IT Policies and other similar rules should clearly define what employees can and cannot do using business systems. A range of Staff Handbook Policy templates are available to assist in this regard, including a Communications, Email & Internet Policy, a Social Media Policy, a BYOD Policy, and a Mobile Phone Use Policy.

Disclosing Emails which an Employee is Copied Into

An SAR only allows the individual to obtain a copy of their personal data from you (in your capacity as a data controller). Whether such emails should be included in your response to the SAR will depend upon their contents and context. Merely being copied into an email does not necessarily mean that it constitutes personal data relating to the individual. It may, for example, be appropriate to redact portions of emails that relate to the individual but also contain other information that is not relevant.

Searching Social Media in Response to a SAR

If your business uses social media, then you are the data controller for any personal data posted on such sites. Consequently, if an individual makes a SAR, you must search your social media posts for any personal data pertaining to them that falls within the scope of the SAR. Similarly, if others have shared social media posts with you which contain personal data, those may be relevant too.

CCTV Footage Containing Other Individuals

Any CCTV footage that falls within the scope of a SAR that contains personal data relating to the individual making the SAR should, where possible, be included in your response. If the footage in question includes other individuals, you should redact it if possible. If this is not possible, the ICO advises that the footage should only be disclosed (as explained above with respect to personal data that includes others’ information) with the consent of those individuals unless it is reasonable to do so without it.

Conclusion

Subject Access Requests can be complex, challenging, and time-consuming to deal with, particularly within the realm of employment. Employers will typically hold a considerable amount of information about their employees which constitutes personal data. At first glance, the simple answer to a SAR would be a relatively simple set of information, but as is shown above, many different types of information could fall within its scope including records of meetings, assessments, internal communications, documentation arising from disciplinary proceedings, references, and a great deal more. Time and care must be taken to ensure a full and proper response. If there is any doubt, it is important to note that the ICO itself cannot advise on what to include in your response on a case-by-case basis and that independent and suitably qualified legal advice should always be sought, whether from your own legal or HR department or from external sources.