31 May, 2023
On 24 May 2023 the Information Commissioner's Office (ICO) published new guidance for employers and businesses relating to responding to Subject Access Requests (SARs). This guidance has been released in the wake of recent enforcement action issued by the ICO to two local authorities, for failure to respond to SARs in a timely manner. Find out more about this here, take a look at our recent article, discussing the factors leading to this decision and the lessons that can be learned.
In this update, we explore the key updates in the new SAR guidance and the changes this may prompt in business practice and the approach employers take when handling and responding to SARs.
An individual's ability to access their personal information (referred to in the legislation as 'personal data') held about them by a data controllers, such as a schools and other educational institutions, is a fundamental right in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).
For the purposes of the UK GDPR and DPA, personal data relates to anything that can identify a living individual including:
In the education sector, SARs commonly constitute requests from members of staff for personnel records, correspondence, and other relevant employee information, such as training records.
The legislation compels schools and other educational institutions, as the data controller of the personal data of its staff, to provide copies of the personal data requested, usually within one month of the SAR being made, which applies regardless of whether a request was made during a period of holiday closure, alongside confirming the following information:
The legislation does allow for the time period for responding to an SAR to be extended for up to two further months, where the request is sufficiently complex. Data controllers that fail to respond to an SAR within the statutory timeframe, become vulnerable to a complaint being made by the individual making the request to the ICO. As an independent regulator, the ICO has wide powers of investigation and enforcement, such as the power to issue fines and reprimands. Particularly for the education sector, a potential consequence of such action being taken is the risk of reputational damage.
In releasing new 'SARs Q&A for employers', the ICO's intention is to provide further support and make the SAR handling process easier to understand and navigate, to help increase compliance with the legislation. In a statement announcing the new guidance, ICO Policy Group Manager, Elanor McCombe said:
"What we're seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words 'subject access request' in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to."
The guidance covers a range of common areas of misconception, such as:
This guidance represents an attempt by the ICO to clarify any areas of uncertainty in the legislation and its expectations from employers handling SARs. It provides a useful resource for employers to benchmark themselves against, to assess their current level of compliance and where they may be exposing themselves to risk of enforcement, as a result of internal SAR policies and procedures.
SARs are becoming increasingly commonplace for employers, particularly in the education sector, as individuals are more aware of their rights in the DPA and UK GDPR, and have access to union advice and support regarding these rights. The new guidance demonstrates the ICO's recognition of this, and the necessity to help employers with creating a mainstream, transparent process.
Alongside its new guidance, the ICO has reiterated its commitment to holding data controllers to account, who fail to respond to requests in accordance with the legislation. This commitment has most recently been reinforced in the wider public sector, as organisations expected to uphold practices that align with their legal obligations and act in a way that maintains public trust and confidence.
Employers as a whole, but particularly those within the education sector, should now review their SAR policies, procedures and current SAR handling, to assess their alignment with the new guidance, and identify any particular areas of non-compliance, to ensure they are adjusted accordingly.
A full copy of the ICO's guidance for employers is available to read here.
Learn more about our Education department here