26 May, 2023
On 24 May 2023 the Information Commissioner's Office (ICO) published new guidance for employers and businesses relating to responding to Subject Access Requests (SARs). This guidance has been released in the wake of recent enforcement action issued by the ICO to two local authorities, for failure to respond to SARs in a timely manner. To find out more about this, take a look at our recent article, discussing the factors leading to this decision and the lessons that can be learned. The article can be found here.
In this update, we explore the key updates in the new SAR guidance and the changes this may prompt in business practice and the approach employers take when handling and responding to SARs.
An individual's ability to access their personal information (referred to in the legislation as 'personal data') held about them by a data controller, such as an employer or a business, is a fundamental right in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).
For the purposes of the UK GDPR and DPA, personal data relates to anything that can identify a living individual including:
In the employment relationship context, SARs commonly constitute requests for personnel records, correspondence, and other relevant employee information, such as training records.
The legislation compels data controllers, to provide copies of the personal data requested, usually within one month of the SAR being made, alongside confirming the following:
the existence of any automated decision-making, including profiling;
if data is transferred outside of the UK and European Economic Area, the right to be informed of the safeguards implemented when transferring personal data.
The legislation does allow for the time period for responding to an SAR to be extended for up to two further months, where the request is sufficiently complex. Data controllers that fail to respond to an SAR within the statutory timeframe, become vulnerable to a complaint being made by the individual making the request to the ICO. As an independent regulator, the ICO has wide powers of investigation and enforcement, such as the power to issue fines and reprimands.
In releasing new 'SARs Q&A for employers', the ICO's intention is to provide further support and make the SAR handling process easier to understand and navigate, to help increase compliance with the legislation. In a statement announcing the new guidance, ICO Policy Group Manager, Elanor McCombe said:
"What we're seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words 'subject access request' in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to."
The guidance covers a range of common areas of misconception, such as:
This guidance represents an attempt by the ICO to clarify any areas of uncertainty in the legislation and its expectations from employers handling SARs. It provides a useful resource for employers to benchmark themselves against, to assess their current level of compliance and where they may be exposing themselves to risk of enforcement, as a result of internal SAR policies and procedures.
SARs are becoming increasingly commonplace for employers, as individuals are more aware of their rights in the DPA and UK GDPR. The new guidance demonstrates the ICO's recognition of this, and the necessity to help employers with creating a mainstream, transparent process.
Alongside its new guidance, the ICO has reiterated its commitment to holding data controllers to account, who fail to respond to requests in accordance with the legislation. This commitment has most recently been reinforced in the public sector, as organisations expected to uphold practices that align with their legal obligations and act in a way that maintains public trust and confidence.
Employers as a whole, but particularly those within the public sector, should now review their SAR policies, procedures and current SAR handling, to assess their alignment with the new guidance, and identify any particular areas of non-compliance, to ensure they are adjusted accordingly.
A full copy of the ICO's guidance for employers is available to read here.
For more information contact Laura Rae in our Governance, Procurement & Information department via email or phone on 01772 220221. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here