Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On May 24, 2023 (or as we like to call it, the eve of GDPR’s 5th birthday), the UK’s data protection body, the Information Commissioner’s Office (the ICO), published a new guide for employers on responding to data subject access requests (DSARs).
When publishing the guidance, the ICO noted that it received over 15,000 complaints regarding subject access in the last year and failure to comply with a DSAR was the most frequent reason that people complained to the ICO, making up around a third of all of the complaints.
Failing to comply with a DSAR can result in fines or reprimands as well as reputational damage, so it is important that organizations get it right. We are also increasingly seeing failure to comply with DSARs being cited as a complaint in employment litigation.
What are DSARs?
The right of access gives individuals the right to request a copy of their personal information from organizations. Organizations must respond to a DSAR within one month of receipt of the request although this timeframe can be extended by up to a further two months if the DSAR is complex or if the employee has sent a number of requests.
DSARs have become a strategic tool for employees attempting to gain information, often during a dispute or grievance process. Employers must strike a balance between upholding employees' right of access, protecting sensitive corporate information, protecting other individuals’ data and applying legal exemptions in an appropriate way. As many employers have learned the hard way, DSARs can be time-consuming and resource intensive.
What does the guidance include?
Although the new guide doesn’t tell us anything new, it includes some practical guidance for employers on some common tricky areas, for example:
- disclosure of witness statements used in internal disciplinaries or investigations;
- disclosure of whistleblowing reports;
- the application of the existing legal exemptions (e.g., confidential references, privilege, management information and negotiations with the requester);
- when a request is manifestly excessive (and can therefore be refused);
- whether you still need to comply with a DSAR if the worker has signed an NDA or settlement agreement;
- whether you need to comply with a DSAR if the individual is going through an employment tribunal or grievance process (spoiler alert: yes, you do);
- how to deal with emails that the worker is copied on;
- searches of social media used in the workplace (e.g., Facebook, WhatsApp, Twitter); and
- how to deal with requests for CCTV footage.