New SAR guidance for employers published by the ICO: key updates considered

On 24 May 2023 the Information Commissioner's Office (ICO) published new guidance for employers and businesses relating to responding to Subject Access Requests (SARs). This guidance has been released in the wake of recent enforcement action issued by the ICO to two local authorities, for failure to respond to SARs in a timely manner. To find out more about this, take a look at our recent article, discussing the factors leading to this decision and the lessons that can be learned. The article can be found here.

In this update, we explore the key updates in the new SAR guidance and the changes this may prompt in business practice and the approach employers take when handling and responding to SARs.

The Law

An individual's ability to access their personal information (referred to in the legislation as 'personal data') held about them by a data controller, such as an employer or a business, is a fundamental right in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).

For the purposes of the UK GDPR and DPA, personal data relates to anything that can identify a living individual including:

• name;

• date of birth;

• National Insurance number;

• gender;

• address;

• contact information;

• location data;

• online identifiers;

• financial information;

• more sensitive information, including: health and disability information; information relating to racial and ethnic origin; political opinions; religious or philosophical beliefs; sex life and sexual orientation information and, trade union membership, known as 'special category data.'

In the employment relationship context, SARs commonly constitute requests for personnel records, correspondence, and other relevant employee information, such as training records.

The legislation compels data controllers, to provide copies of the personal data requested, usually within one month of the SAR being made, alongside confirming the following:

• the purposes of the processing that personal data;

• the categories of personal data concerned;

• the recipients or categories of recipient to whom the personal data have been or will be disclosed;

• how long data will be stored for;

• information about the individual's data subject rights;

• an individual's right to lodge a complaint with the ICO;

• where the personal data is not collected from the individual themselves, any available information as to their source;

• the existence of any automated decision-making, including profiling;

• if data is transferred outside of the UK and European Economic Area, the right to be informed of the safeguards implemented when transferring personal data.

The legislation does allow for the time period for responding to an SAR to be extended for up to two further months, where the request is sufficiently complex. Data controllers that fail to respond to an SAR within the statutory timeframe, become vulnerable to a complaint being made by the individual making the request to the ICO. As an independent regulator, the ICO has wide powers of investigation and enforcement, such as the power to issue fines and reprimands.

Updated guidance

In releasing new 'SARs Q&A for employers', the ICO's intention is to provide further support and make the SAR handling process easier to understand and navigate, to help increase compliance with the legislation. In a statement announcing the new guidance, ICO Policy Group Manager, Elanor McCombe said:

"What we're seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words 'subject access request' in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to."

The guidance covers a range of common areas of misconception, such as:

• the format for submitting an SAR (i.e. without needing to refer to the relevant legislation or the phrase 'Subject Access Request' and can include written, oral or social media requests);

• the ability to clarify requests;

• the ability to withhold certain information;

• complying with SARs made by employees going through employment processes or a tribunal;

• the inability to contract out of the right of access using a settlement or non-disclosure;

• managing requests for CCTV footage.

What should employers do now?

This guidance represents an attempt by the ICO to clarify any areas of uncertainty in the legislation and its expectations from employers handling SARs. It provides a useful resource for employers to benchmark themselves against, to assess their current level of compliance and where they may be exposing themselves to risk of enforcement, as a result of internal SAR policies and procedures.

SARs are becoming increasingly commonplace for employers, as individuals are more aware of their rights in the DPA and UK GDPR. The new guidance demonstrates the ICO's recognition of this, and the necessity to help employers with creating a mainstream, transparent process.

Alongside its new guidance, the ICO has reiterated its commitment to holding data controllers to account, who fail to respond to requests in accordance with the legislation. This commitment has most recently been reinforced in the public sector, as organisations expected to uphold practices that align with their legal obligations and act in a way that maintains public trust and confidence.

Employers as a whole, but particularly those within the public sector, should now review their SAR policies, procedures and current SAR handling, to assess their alignment with the new guidance, and identify any particular areas of non-compliance, to ensure they are adjusted accordingly.

A full copy of the ICO's guidance for employers is available to read here.