Scrase Law Employment Solicitors

Data Subject Access Requests – guidance for employers

Employees have the right to request of their personal data from their employer or former employer.  The employer must respond to a subject access request (SAR) within a month of receipt of the request.  It is possible to extend this by up to two months if the SAR is complex.  Failure to comply with a request may result in a complaint to the ICO.

ICO guidance – SARs

The Information Commissioner’s Office (ICO) has published guidance for businesses and employers on responding to SARs. The blog and ‘SARs Q&A for employers’ include guidance on issues including:

  • What the right of access is
  • When employers can withhold information
  • SARs in the context of a tribunal process
  • Searches across social media
  • Requests for CCTV footage
  • What to include in a SAR response
  • The issues to consider when responding to a SAR may involve providing information about someone else, for example, another employee.

There are a number of exemptions when responding to a SAR, where the employer may not be under an obligation to comply with the SAR.  These include, for example:

  • Confidential references
  • Information subject to legal professional privilege
  • Information processed for the purposes of management forecasting or planning about a business activity if disclosure is likely to prejudice the conduct of the business or activity.  This may apply, for example, where a business is planning redundancies
  • Records of intentions in relation to negotiations between the employer and employee if complying with the SAR would be likely to prejudice those negotiations.

Comment

According to the ICO’s blog, from April 2022 to March 2023, 15,848 complaints related to SARs were reported to the ICO.  It notes: ‘What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests’. 

If an organisation fails to respond to SARs promptly or at all, they can be subject to fines or a reprimand from the  ICO.  The blog provides links to information about action taken against organisations that failed in their duty to respond to SARs.  Employers should be aware of their legal obligations when responding to a SAR and seek advice if appropriate. 

27 July 2023

If you would like to receive monthly employment law updates and news of our events, sign up for our email alerts.

©2023 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST