New ICO guidance on SARs for employers – a useful reminder on how to comply
30 May 2023
From April 2022 to March 2023, 15,848 complaints related to the right of subject access were reported to the Information Commissioner’s Office (ICO). Elanor McCombe, Policy Group Manager at the ICO, singles out employers as some of the main culprits – either misunderstanding the nature of subject access requests (SAR), or underestimating their importance.
In an attempt to support employers respond to requests, the ICO have published guidance specifically for employers on how best to respond to SARs. This guidance reinforces (and repeats much of) the existing guidance on the right of access. Unfortunately, that means the new guidance is not the magic wand many employers were hoping for that would help save them from large-scale and costly disclosure-lite exercises which tend to consume lots of time and resource.
However, there are a number of helpful new examples given by the ICO to reinforce their advice. We give our comment on some of those examples below:
The format of SARs
A SAR can be made verbally or in writing and need not include the phrase ‘right of access’ or ‘UK GDPR’. The following are all examples of valid SARs:
1. ‘Please send me my HR file.’
2. ‘Can I have a copy of the notes from my last appraisal?’
3. ‘What information do you hold on me?’
4. ‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning’?
These are, we expect, common questions received by HR / People teams, and they would all need to be responded to in accordance with the UK GDPR. It’s wise for employers to think about providing access to situational and interactive training to their HR team to help them in identifying and responding to SARs.
Clarifying the request
On clarifying searches, the ICO gives the example of a worker who has been employed for 20 years. The ICO state that, if the worker requests all of their personal information, and refuses to narrow down their request, you should carry out reasonable searches for their information to comply with the request. Much will hang on the definition of the word ‘reasonable’ in this example, and it would have been helpful if the ICO had given an example of reasonable ways to reduce the volume of data that can arise from these broad searches.
A common question is whether witness statements used for internal disciplinary or investigative issues should be disclosed in response to SARs. The ICO gives the example of a request from a worker for copies of witness statements collected in response to an allegation of bullying towards a junior member of staff, in which the worker was allegedly involved.
Where an employee is given an expectation of confidentiality when providing a statement, and redaction would not prevent that employee’s identity from being disclosed, then such statements could be withheld from disclosure in response to the SAR.
This serves as a useful lesson to HR teams that that expectation of confidentiality should always be communicated at the outset of such meetings. However, this will need to be balanced against demands for anonymity – which is often incompatible with completing a reasonable investigation.
Similar logic applies to whistleblowing reports. Where a whistleblowing report may disclose the identity of the individual whistleblower, for the reasons set out above, such a report could be withheld from disclosure in response to a SAR. If in doubt, it is much easier to subsequently disclose an undisclosed document than to try to row back from a document that should not have been disclosed – so we would recommend withholding documents if there is a risk of third party identification.
An exemption applies to personal information that you process for management forecasting or planning about a business or other activity. The ICO’s previous example referred to withholding information relating to a potential redundancy where doing so would be likely to prejudice the conduct of the business by causing staff unrest. The example in the new guidance also refers to redundancies – an employee hears a rumour about redundancies, a SAR is submitted, and the information is withheld as it may prejudice the conduct of the business and cause staff unrest.
There are many situations where disclosing data may prejudice the conduct of the business in other contexts (e.g. regulatory investigations or formal internal processes), yet the data may still need to be disclosed, and we have never really received a thorough definition of ‘management forecasting or planning’. It would have been helpful to employers to have some examples of this outside of the context of redundancy.
Manifestly excessive SARs
Further guidance in this area would also have been welcome. The ICO cites two examples:
- You are the owner of a small business, employing four members of staff. You receive a SAR from a former worker requesting all the information you hold. An initial research results in 3,000 emails containing the worker’s personal information. You consider the request to be manifestly excessive. You contact the ICO for further advice. The ICO recommends:
a. requesting clarification from the worker to narrow down the search;
b. reviewing the emails for those which only contain the name, email address and signature; and
c. considering whether you can supply this information in a summary, for example ‘1000 emails contain only your name, email address, and signature.’
You decided to provide a summary of information.
The problem with this approach is that the employee will likely not provide any clarification (especially if they have submitted a tactical SAR), and reviewing the emails which contain the name, email address and signature is still a very time consuming exercise. In the vast majority of cases further searches are required to bring the numbers down to a reasonable level.
It is interesting as well that they have included a reference to the four employed members of staff. Would the advice have been different if the SAR was submitted to a multinational organisation? Further guidance here would have been helpful.
- A former worker submitted a SAR requesting all their personal information processed during their employment. The company provided an electronic copy of the personal information to the worker as agreed. The worker subsequently submitted another SAR and asked you to resend the information in hard copy format and in chronological order. The company refused the request, citing it as manifestly excessive, because:
a. you had already supplied all the personal information in an electronic copy as agreed with the worker;
b. no new personal information had been generated since you issued the first SAR response; and
c. you provided the information in a clear and intelligible format.
The former worker raised a concern with the ICO. On review of the information provided, we considered that the organisation had lawfully applied the exemption.
In our experience it is rare that concerns about the format rather than the substance of the response are raised with the employer, but this is useful guidance for those rare occurrences that you are presented with a particularly fussy data subject.
It is interesting that the ICO have confirmed that a settlement agreement that limits an employee’s right of access is unenforceable under data protection legislation. This has always been the practitioners view even before the GDPR came into force, and in practice, organisations will have to continue to rely on the likelihood that an employee no longer has a reason to follow up an existing SAR, or to submit a new SAR once a settlement agreement has been signed.
The ICO have also suggested that, in some cases, information in employees’ personal email accounts does not need to be disclosed in response to a SAR, even where such personal accounts can be accessed via work laptops.
Employees will often ask for WhatsApp and text messages (as well as personal emails) to be provided to them. Where these systems are personal to employees, they generally do not need to be searched in response to a SAR, though the position becomes more complex when these mediums are used for business purposes in practice. Employers can put themselves in the best possible position here by clarifying that such mediums are not to be used for business purposes in acceptable use (or similar) policies.
While much of this guidance will serve as a useful reminder to employers, the content should not come as much of a surprise to those who regularly deal with SARs. The new guidance repeats and consolidates much of the advice that has already been published. While greater direction would have been helpful in relation to key areas, particularly dealing with manifestly excessive SARs, the ICO is keen to remind readers that it cannot advise employers what to include in a SAR response.
Employers will therefore need to continue to consider each SAR on its own facts, consider any exemptions that may apply, and demonstrate compliance with their duties as they always have – with a few more helpful nuggets from the ICO to assist!