DSAR Updates for Employers and Businesses

On 24 May 2023, the Information Commissioner’s Office published updated guidance for businesses and employers in relation to Data Subject Access Requests.

Who is the ICO?

The ICO is a public body that exists to uphold information rights in the UK and promotes data privacy for individuals and transparency by organisations.

Legislation within the purview of the ICO includes, the Data Protection Act, the General Data Protection Regulation (GDPR), the Freedom of Information Act and the Investigatory Powers Act.

What is a SAR?

Under data protection law in the UK, an individual is legally entitled to request a copy of their personal information from a data controller, this is known as a Subject Access Request (SAR).

The ICO will first expect an individual to make their request directly to the organisation in question. If you do not respond within the set timeframes, or otherwise comply as you ought to, the individual can refer a complaint to the ICO.

The ICO reports that it received more than 15,000 subject access complaints in 2022.

They have also identified that employers often underestimate the importance of responding to requests for information. Sometimes, organisations do not even recognise that they have received a SAR. It is important to note that a SAR does not have to be submitted formally, in writing, or sent to your business by a lawyer. An informal request, that does not even state it is a SAR, sent to a business via social media, could qualify as a legally valid information request.

What sort of information might someone request?

If you are an employer, you could expect to receive SARs from previous or current employees. The requested information may therefore include payroll details, internal notes and correspondence with or about the employee, disciplinary records, sickness absence records etc.

As a business, you might also expect to receive SARs from previous or current customers, in relation to which their purchase history and customer profile may be relevant and hold the information and data they require.

Timescales

If your organisation receives a SAR, you must respond within one month of receipt. If the SAR is complex, you may be able to extend your timescales for response by an additional two months.

What if I don’t respond?

Your organisation could be reprimanded or fined by the ICO if it does not respond appropriately to a SAR. Notably, the ICO reprimanded the Ministry of Defence last year for failing to address its’ resourcing issues and therefore failing to resolve the growing backlog of unanswered SARs. As at April 2022, the backlog of SARs had reached around 9,000.

The Home Office was similarly reprimanded with a number of requesters suffering from distress as a result of the failure to respond as legally required.

What if the request is for litigation?

As an employer, you may receive a SAR from an ex or current employee during or in anticipation of employment tribunal proceedings. You cannot refuse to respond to a SAR simply because you think it could be for the purposes of litigation.

There are a number of exemptions under data protection law which may justify non-disclosure of requested information. It is important that you identify the exemption relied upon as you must be able to justify non-disclosure of requested data and record your reasoning.

If you require data protection law assistance, contact our data protection lawyers on 01202 525 333   for more specialist legal advice and guidance.