The guidance has been published by the Information Commissioners Office ("ICO")
According to the ICO, they received 15,848 complaints relating to subject access requests ("SARs") during the course of the 2022/23 financial year and this regularly tops the charts for the most frequent source of individual complaints to the ICO.
In our experience, dealing with complex SARs can often be the most challenging aspect of GDPR for employers. While much information held on a personnel record will be of a routine nature, the reality is that most SARs are submitted in already challenging circumstances, often involving a disciplinary or grievance process (or similar) or alternatively a dispute of some kind. Searches for the personal data requested will often reveal a significant volume of emails and/or other documents which frequently contain personal data relating to other third parties, requiring employers to navigate both the third party data provisions and any other possible exemptions which may apply. The volume of information that employers often need to look at, particularly in the form of email chains, mean that SARs can also take a significant amount of work to comply with.
In light of all this, the new guidance recently published by the ICO in the form of a SARs Q&A for employers will be very welcome. The guidance itself is easy to read, addresses common problems, and links to more detailed information, if needed. It sets out practical matters such as how to recognise a SAR and when employers can clarify what is being requested at the outset of a request (or extend the timescale to comply, where the SAR is complex). It deals with when employers can refuse to comply with a request where it is "manifestly unfounded" or "manifestly excessive", albeit these provisions will seldom apply. It addresses the issue of "third party personal data" in the context of witness statements and CCTV footage. Also covered within the guidance is whether the requester is entitled to know if any information is being withheld as well as dealing with SARs generally in the context of ongoing grievance procedures or tribunals, amongst other things. Alongside these practical issues, it also offers further explanation and examples of when exemptions from the requirement to disclose may apply.
We are running a free employment law webinar on data protection in the workplace later this year and a key aspect of this will be dealing with complex SARs. You can register for this webinar here and there is information available on all of our upcoming employment law webinars here.
The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. Morton Fraser LLP accepts no responsibility for the content of any third party website to which this webpage refers. Morton Fraser LLP is authorised and regulated by the Financial Conduct Authority.