As many employers will know, responding to a Subject Access Request (SAR) can often be a time consuming and challenging process. The Information Commissioner’s Office (ICO) have therefore recently published guidance specifically for businesses and employers.
Under the UK’s GDPR and Data Protection Act 2018, individuals have the right to access their own personal data that’s held by organisations such as employers. If an employer therefore receives a SAR from an employee and fails to respond promptly or at all, the ICO has the power to fine or reprimand the employer.
According to recent figures, between April 2022 and March 2023, the ICO received over 15,848 complaints relating to SARs. The ICO notes that many employers appear to misunderstand the nature of SARs or underestimate the importance of responding to such requests.
When responding to a SAR, employers might have, for example, some of the following questions:
What is the right of access?
According to the ICO, the right of access gives an individual the right to obtain a copy of their personal information from the organisation such as the employer. This will include where the organisation had their information from, what they are using it for and who the organisation shares the information with.
Employers should note that they must respond to a SAR from an employee promptly and within one month of receipt of the request. It is possible, however, to extend the time limit by up to two months if the request is complex or the employee has sent several requests.
Can we clarify the request?
The ICO’s guidance states that it is possible for an employer to ask the employee to specify the information or processing activities they are looking for before responding to their request. An important point to note is that until the employer receives clarification, the time limit to respond to the request is paused.
The guidance emphasises that an employer should only seek clarification if it’s genuinely required to enable the employer to respond and because the employer processes a large amount of information about the employee.
Do we have to disclose emails that the worker is copied into?
A SAR only entitles the employee to obtain a copy of their personal organisation from their employer. This means that an employer must consider what information in the email is considered “personal information” of the employee. The guidance states that it will also depend on the email’s contents and the context.
Whilst it will be for the employer to decide whether information is the employee’s “personal information”, the ICO states that there are several things to remember. This includes (1) if the contents of the email relates to something else such as a business matter, this does not mean that it is not the employee’s personal information. It depends on the content of the email; (2) as the SAR only applies to the employee’s “personal information”, the employer might need to disclose only some of the email in order to comply with the SAR and (3) although the employee might have been the recipient of the email, it does not necessarily mean that that the whole content is the employee’s “personal information”. Please note however that their name and email address is considered “personal information” and must therefore be disclosed.
Every SAR will be different so employers should always be careful and ensure that they follow the ICO’s guidance, which can be found here: SARs Q&A for employers | ICO
If you require any advice in relation to responding to a Subject Access Request, please contact the employment team at Morgan LaRoche.
