24 September, 2021
On 07 September 2021, the Information Commissioner's Office published an enforcement notice against First Choice Selection Services Ltd for failing to comply with a subject access request made during the course of employment tribunal proceedings.
An individual originally submitted a subject access request to First Choice on 07 May 2020, which was during the course of employment tribunal proceedings against First Choice. A manager responded to the request on the same day stated that they had no intention of providing the information requested and would release the information, as the tribunal designates, at the required time. The individual replied to remind First Choice of its obligations to comply with a subject access request and the manager again responded to confirm that they would provide all the information relating to their claim when instructed to do so by the tribunal.
The individual complained to the ICO about First Choice's refusal to comply with the subject access request. Subsequently the ICO, wrote to First Choice on four separate occasions to confirm that First Choice was in breach of data protection law by failing to respond to the request. First Choice responded to the fourth letter from the ICO to state that the tribunal had instructed them to release no information to the individual at this stage. Further correspondence between the ICO and First Choice then ensued and the ICO requested evidence that the tribunal had ordered that no documentation was to be disclosed. At a later date, an email from the tribunal was provided to the ICO which stated that the tribunal had no jurisdiction to deal with matters relating to data protection requests.
Following receipt of that email, the ICO determined that First Choice had breached data protection law for failing to comply with the subject access request. The ICO found that First Choice had sought to avoid complying with the subject access request on the basis that the tribunal had instructed it not to provide any documents to the individual. The ICO found that this was wilfully misleading and breached requirements under the GDPR to comply with subject access requests and the accountability principle.
In light of those findings, the ICO issued First Choice with an enforcement notice. The enforcement notice required First Choice to comply with the subject access request within one calendar month. Failure to comply with an enforcement notice can result in a fine of up to £17,500,000 or 4% of annual global turnover, whichever is higher.
What Does this Mean for RPs?
It is important to note from this enforcement notice, that subject access requests must be complied with and the presence of ongoing legal proceedings does not mean that an organisation can refuse to comply with a subject access request. The GDPR only permits an organisation to refuse a subject access request if the request is manifestly unfounded or excessive. Whilst the presence of ongoing legal proceedings will clearly be a key consideration when dealing with the request and applying exemptions, it is not a valid reason to refuse to comply with the request.
It is common for individuals to make requests for personal information during the course of grievance and/or disciplinary proceedings. This case highlights how such requests must be dealt with in accordance with data protection law. It also highlights that disclosure as part of legal proceedings is a different regime to disclosure of personal data under a subject access request and organisations should have appropriate processes in place to recognise and respond to such requests.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.