The Information Commissioner’s Office (ICO) has issued new guidance for employers who have received a Subject Access Request (SAR) and want to know how to respond to it.
What is a Subject Access Request?
This gives someone the right to request a copy of their personal information from organisations.
This includes where the employer got their information from, what they’re using it for and who they are sharing it with.
Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development, or HR records.
Organisations must respond to a SAR within one month of getting the request. However, this can be extended by up to two months if the SAR is complex.
Is there a new law on Subject Access Requests?
No! Subject access requests have always formed part of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), and continue to do so
Why has the ICO issued “new” guidelines?
Sometimes, the ICO issues clearer guidelines, if the complaints they receive from the public indicate certain trends that they would like data controllers to address. On this occasion, the ICO said:
“We’re seeing now that many employers are misunderstanding the nature of subject access requests or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.”
“For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”
The ICO may take action against a controller or processor if they fail to comply with data protection legislation; this action may take the form of a warning, reprimand, enforcement notice or penalty notice.
If a SAR is not complied with, the requester may apply for a court order requiring compliance. The court will decide, in each particular case, whether an order will be made.
If an individual suffers damage or distress because an employer has infringed their data protection rights – including failing to comply with a SAR – they are entitled to claim compensation. Only the courts can enforce their right to compensation.
It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR would have been entitled to receive.
However, it’s a defence if it can be proved that:
- the alteration, defacing, blocking, erasure, destruction or concealment of the information would have happened regardless of whether the individual made a SAR; or
- there was a reasonable belief that the person making the SAR was not entitled to receive the information requested.
From April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the ICO.
In May 2023, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests. In September 2022, the ICO took action against seven organisations who failed in their duty to respond to SARs.
It is well worth considering the new guidance on responding to SARs as it has particular relevance to employment practices, for example regarding non-disclosure and settlement agreements.
It is quite extensive, but it is in a Q&A format and has numerous examples to illustrate the guidance and provide clarity for employers.
If you have any concerns about subject access requests or any other issue arising from data protection, the rradar legal advisory team can help with this. Call us on 0800 955 6111. We are open from 8:00am until 6:00pm Monday to Friday, except bank holidays.