ICO offers guidance to employers on responding to SARS

With subject access requests from employees (SARs) continuing to be a frequent occurrence, the Information Commissioner’s Office (ICO) has published timely new guidance for employers. While this guidance is not novel, and is a slimmed down version of the guidance published by the ICO in October 2021, it provides useful scenarios, such as when an employer may refuse a request or when it might be reasonable to request that a search is narrowed down.

Assessing SARs, and in particular the application of exemptions, depends heavily on the context, meaning that even with the new guidance each request will need to be viewed on a case-by-case basis. The ICO is clear that it is not for them to tell employers how to respond.

The aim of the guidance may in part be to see a fall in the number of complaints received by the ICO. The ICO has pointed out in its accompanying blog that it received 15,848 complaints between April 2022 and March 2023, amounting to just over 43 complaints per day. We summarise the key points employers need to know from the guidance.

Employers must respond to a SAR to comply with the law. Article 15 of the UK GDPR sets out an employee’s rights of subject access (to their personal data and information about how that data is used), and article 12 of the UK GDPR sets out an employer’s duty to comply.

Employers must (normally) respond to a SAR within one month. Under article 12(3) of the UK GDPR, responses must also be without undue delay, but if the request is complex, or several requests have been made, a response may be delayed by two further months.

Employers cannot charge for dealing with a request, unless the request is ‘manifestly unfounded’ or ‘manifestly excessive’ where a reasonable fee may be charged.

SARs do not need to be made in a prescribed form. A request could be made orally or in writing and could be as simple as: ‘What information do you hold on me?’.

Employers may be able to narrow the scope of the request by clarifying what information the requester is looking for. This should only be done where it may help the employer in its search. Where a request for clarification is legitimately made this would stop the clock on the time limit. Otherwise, employers should carry out ‘reasonable’ searches to comply. In circumstances where an initial result provides 3,000 emails, the ICO recommends that an employer may request clarification and that the employer reviews only the emails to identify those in which the only personal data of the requester is their name, email address and signature and then provides a summary that “x emails contain only the name, email address and signature of the requester”.

Employers may be able to rely on an exemption to refuse a SAR or part of a SAR.

These include the exemptions set out below (where we also note factors to think about when determining whether or not it is appropriate to withhold the information):

1. where it relates to another person. Consider whether that person’s consent could be obtained, their rights under the UK GDPR, the type of information in question, and whether any duty of confidentiality is owed. Note that the employer may still need to comply where it would be reasonable to do so without the consent of the third party.
2. a witness statement. In addition to the above points, consider whether any assurances of confidentiality were given by HR when that person gave their statement.
3. a whistleblowing report. Employer should take into account the rights given to a whistleblower under the Public Interest Disclosure Act 1998 and rights under the UK GDPR. Consider also whether disclosure would compromise the report, such as if it was given to the person about whom the report was made.
4. a confidential reference. Consider whether the reference was confidential when it was given, as well as its purpose, as if it were provided for purposes of education, training or employment of someone, or someone working as a volunteer, these would be exempt.
5. where information is protected by legal professional privilege. Consider whether the information was confidential, whether it passed between a lawyer and their client, and whether litigation was possible or probable or whether the communication was for the dominant purpose of obtaining or providing legal advice.
6. Where the purpose of the processing of information is to prevent or detect crime, or the assessment or collection of tax. Consider whether disclosure could be prejudicial to a case and note that the exemption does not apply to accessing information about automated individual decision-making.
7. Where processing is for management forecasting or planning about a business or other activity and disclosure could prejudice the business or activity. Consider whether the information is processed for ‘management forecasting or planning purposes’, which for example, includes information about a selection pool for redundancy. Note that the exemption only applies where disclosure would prejudice the activity in question, so may not apply once the activity has been completed.
8. purely personal data. Consider whether the information relates to a work context. Emails sent from a personal account, which were accessed using a work computer, or WhatsApp messages sent on personal phones, for example, may not need to be disclosed. Company policies on the use of personal accounts and the use of personal devices for work purposes are important here.
9. where information could prejudice negotiations with the employee. Consider whether the information records the business’ intentions in a negotiation.

Employers may be able to refuse or charge a reasonable fee if a SAR or part of a SAR if:

1. manifestly unfounded. This covers situations where it is clear that the employee has no intention of exercising their rights, for example, if they offer to withdraw the request in return for a form of benefit, such as a higher settlement offer, or if the request indicates malicious intent. In practice, tactical SARs may not state the reasons why the request is submitted.
2. manifestly excessive. This covers situations where the request is clearly or obviously unreasonable. For example, where an employer has provided the information, but not in chronological order, and a second request is made to this effect. Broadly, this assessment should be based on whether the request is proportionate when balanced with the costs involved and the employer’s available resources. If a request appears to be manifestly excessive, employers may consider asking the requester to clarify their request.

Employers cannot enforce clauses in signed settlement agreements which waive an employee’s rights of access. There does not appear to be anything preventing an employee from withdrawing a request in a settlement agreement, however.

Employers must still comply even if a tribunal case or grievance process is on-going and the employer suspects that the request is for personal information that is to be used against them in potential litigation.

The above points are not exhaustive of the guidance, and we always recommend obtaining advice from an employment and data protection specialist.