Handling subject access requests
- This brief guide focuses on the main points to consider and legal obligations relevant to employers who receive a subject access requests (SAR) and, where relevant, draws comparison to the old regime which pre-dates the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
- For a guide to employers' data protection obligations, see our separate guide.
- No fee is chargeable unless the request is ‘manifestly excessive or unfounded’ in which case a ‘reasonable’ fee can be charged to cover administrative costs.
- These terms are not defined but our understanding is that manifestly excessive or unfounded requests will include repetitive requests within a small window of time or requests for additional copies of the same information.
- You must respond ‘without undue delay’ and, at the latest, within one month of receipt of the request.
- This timeframe can be extended by up to two months if the request is complex and/or you have numerous requests from the same individual to deal with.
- Any such extensions, and the reason for it, should be confirmed to the applicant in writing before the initial one-month time limit expires.
- You can still ask the individual for additional information to confirm their identity and to clarify their request. Your timeframe to respond begins once you receive sufficient information to confirm their identity and/or identify which data falls into scope.
- You can refuse a request is if is manifestly excessive or unfounded although we recommend this is only done as a last resort.
- If you refuse the request, you should provide the applicant with the reason(s) for this decision.
- You will need to give the applicant specific information in your response:
- your retention period(s)
- the applicant’s right to have inaccurate data corrected
- the legal basis for processing personal data
- the applicant’s right to lodge a complaint with the Information Commissioner’s Office
- details of transfers of personal data outside the EEA including details of any relevant safeguards made
- The results of the SAR should be made available to the individual via the same method as their request, where possible.
- For example, you could send them the results electronically if they submitted their request by email or other electronic means, or you could make it available through an electronic portal or data room providing of course that adequate safeguards are taken.
- We don’t currently have any guidance on how long such an online portal should be available for but it would be reasonable and sensible to set a time limit on it, and to ensure the applicant is told of this and possibly, given the opportunity to receive a copy by CD or paper.
- It is a criminal offence to alter records with the intention of preventing disclosure following a SAR.
- This will be punishable by an unlimited fine. We recommend you remind managers of this and ensure they know to send any SARs to you, or a designated Data Protection Officer or Team, immediately upon receipt..
Q: I have just received a SAR. What do I do?
A: Respond openly and quickly.
- Contact the individual making the request:
- confirm their identity
- acknowledge the request, explain next steps and set expectations
- If necessary, seek to clarify the parameters of the request, and agree issues such as the search terms to be used, sources of data and the timeframe covered (the time limit to comply with the request will only start to run from the date of the clarified request).
Q: Do I have to have a SAR policy?
- There is no legal obligation to have a formal policy.
- However employees should be made aware of their right of access to personal data, and how to do so.
- One of the key principles of GDPR is accountability, and that data controllers should ‘implement appropriate technical and organisational measures to ensure’ compliance.
- ICO guidance does however make it clear that it expects employers to have policies in place setting out how data is processed, what employers can use their IT systems for and how data can be accessed.
Q: This is the employee’s second SAR in a year, and they are just trying to be awkward. Can I reject the request as manifestly excessive or unfounded?
- ‘Manifestly excessive or unfounded’ is not defined in the legislation, but it will be a very high test for an employer to overcome.
- Examples are given by the ICO in its guidance for what may be a ‘manifestly unfounded’ request. These include:
- the individual clearly has no intention to exercise their right of access (e.g. they say that you must comply with their SAR unless you agree to settle with them), and
- the request is malicious in intent, e.g. exercising a personal grudge, or making unsubstantiated allegations, or explicitly causing disruption
- Aside from these instances, the employee’s real motivation for the request does not matter – the data subject has a right to make the request. If the ICO believes that the individual does intend to exercise their right of access, the request is unlikely to be unfounded. Therefore, the request cannot be ignored or refused because you suspect the individual may be seeking information to support a grievance or a tribunal claim.
- Definitions or examples of when you will refuse to comply with a request clearly set out in an accessible policy will help. They will allow you to show that you have explained to employees when a request would and would not be accepted, but these will not be determinative to the ICO or a court.
Q: We have received a request from a former employee who signed a settlement agreement – do we have to comply?
A: Possibly yes.
- The ICO has made it clear that an individual’s right to access should not be compromised by a settlement agreement, and that any general clauses prohibiting an employee from making a SAR could be unenforceable.
- Clauses that simply limit the right to bring a SAR in relation to issues that have already been raised, or about which a SAR has already been raised (therefore, to prevent a repeated request) should still be enforceable.
Q: We do not have the time or resources to process the request, can I refuse to comply?
A: Probably not.
- No right to refuse request on the grounds that it is too onerous.
- However, ICO guidance states that it will not enforce requests that require disproportionate effort on your part.
- If you want to argue that costs would be disproportionate it is likely that you may have to demonstrate this to a court or the ICO.
- The ICO has provided guidance with the example of a small business employing four members of staff, who receive a SAR resulting in 3,000 emails results containing the employee’s personal data. In such a scenario, the ICO recommends the employer:
- requests clarification from the employee to narrow down the search
- isolates the emails that only contain the name, email address and signature of the individual
- considers if that portion of the results can be provided in summary form, e.g., ‘1,000 emails that contain only your name, email address and/or signature’. If this is possible, then it would be preferable to stating that the request is manifestly excessive and provides a response to the individual.
- Engage with the employee, explain the position and seek to agree what you will provide.
Q: I do not think that I can comply with the time limit - what do I do?
A: Contact the requester.
- You can extend the 30-day time limit by an additional 2 months if the request is complex or numerous. You must provide notice of the extension within the initial 30-day limit.
- Contact the individual who made the request to explain why you cannot comply and look to agree an extension.
- If no agreement reached, provide what you can and explain that what information will follow and when.
Q: What do I need to provide?
A: All personal data - subject to discretion.
- In most cases, you should provide a copy of personal data being processed about and relating to the individual - this includes all emails which contain personal data about them, which can even include placing them at a particular meeting.
- The search for data should include all social media platforms operated by the employer, and an employer may also have to consider personal email and communication accounts if they are accessed via a work laptop or device if the employer becomes the controller of that data.
- However, the individual’s right to access to data must not compromise the rights of others. You are not required to disclose information that:
- is subject to privilege
- is a reference given in confidence for employment or training purposes
- is processed for management purposes and where disclosure would prejudice that business activity
- Any document containing third party material should be redacted or excluded.
- If the third party was, for example, a witness in a grievance or disciplinary investigation, were they assured anonymity? If so, guidance from the ICO suggests that it may be justifiable to withhold that third party’s data so as not to betray that assurance.
- Would the third party consent to their data being disclosed, or is there any other basis on which disclosure would be justified?
- Consider if the third party is still identifiable even if their data is redacted.
- In the case of CCTV footage, the ICO suggests that employers should use a system that enables them to extract and disclose personal data in response to SARs (while protecting the data of third parties). However, if an employer does not have such a system, they should consider providing still photographs with the identities of third parties redacted.
- If any information is withheld, keep a record of what and why.
- When responding to the request, you must also provide details of
- how long you intend to retain the data and why
- the employee’s right to have inaccurate data corrected
- the employee’s right to lodge a complaint, and
- any transfers outside the EEA/UK and the safeguards made