Last week, the ICO released new guidance for employers, in a Q&A format, on responding to Subject Access Requests (SARs). It comes with an accompanying blog titled “It’s important not to get caught out” – New SARs guidance for employers.
Currently the ICO is focused on employment practices and publishing updated guidance in stages. Public consultation on the ICO’s Employment Practices Code closed back in October 2021, and it is analysing responses to consultations on new drafts on ‘monitoring at work’ and ‘handling workers’ health information’.
Since the introduction of the UK GDPR, the ICO reported taking few enforcement actions against businesses because of how SARs were handled. Yet between April 2022 to March 2023, they received 15,848 complaints about SARs. In the heading of their new blog, it specifically mentions employers risk fine or reprimand, and it quotes the ICO’s Policy Group Manager saying “For those who continue to fail to respond to [SAR] in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.” This may signal a shift in its approach to enforcement.
The new guidance provides helpful practical examples, addressing issues which commonly arise for HR professionals, in particular applying exemptions in the UK GDPR and not releasing information. It reminds organisations how these exemptions need to be applied on a case-by-case basis and how justification should be documented internally, in order to meet the accountability requirement of data protection law.
Case study examples given include situations where an employer has witness statements from other staff alleging misconduct by a requestor, and requests for information about an individual’s own workplace performance, where this has taken place in the context of management discussion of a team’s performance. It also looks at whistleblowing situations.
Businesses and their advisors will welcome aspects of this guidance about when SAR can be refused. The example given relates to a worker submitting one in the context of a redundancy, offering to withdraw the request if an improved financial package is put forward – clearly indicating the individual has no genuine intention to exercise their right but is using it to harass, with no real purpose other than to cause disruption. There is guidance also on how to approach requests which an organisation views as ‘manifestly excessive’.
Unsurprisingly, but perhaps less welcome by some businesses, is how the guidance clarifies that employers using social media platforms for work purposes (such as WhatsApp, and chat channels on Microsoft Teams) are “controller” of personal data input by staff onto those platforms in such situations. But the guidance helpfully reminds organisations that policies and procedures (such as an Acceptable Use or IT policy), informing staff of what they can and can’t do on business systems, can help limit scope of what personal data the organisation ‘controls’ and needs to collect and review when responding to SARs.