In a world where data has become more valuable than oil, the importance of data protection and privacy cannot be overstated. Employees and individuals have the right to access personal information organisations hold about them.
This can be achieved by making what is known as a data subject access request. Failing to comply with a data subject access request is a breach of the law, and those failing to comply can be subject to fines or a reprimand from the Information Commissioner’s Office (ICO).
To support employers in complying with their obligations under the UK General Data Protection Regulation and the Data Protection Act 2018, in the spring of this year, the ICO published new guidance for businesses on how to respond to data subject access requests.
The guidance deals with data subject access requests made by current or former employees. One of the reasons why a data subject access request is made is because the individual is contemplating litigation and requests copies of their personal data to help them establish the facts of a dispute or even as evidence for a live employment tribunal case. The guidance is set out in a question-and-answer format and includes several helpful examples of what employers ‘must’ and ‘should’ do when responding to data subject access requests raised by employees.
The guidance covers several aspects, including:
- Timeliness of responses: the ICO reiterates to employers their obligation to promptly respond to data subject access requests within one month, with extensions being allowed in limited circumstances.
- No formatting requirements: a data subject access request does not have to be in a particular format to be considered a valid request. This means that individuals can easily make requests, including verbally or even via social media.
- Ability to clarify requests: employers may clarify or seek to narrow the scope of the data subject access request with the individual making the request, particularly where there is a lot of information about the individual concerned. That said, if the individual fails to respond to this request or refuses to narrow their demand, this will not extend the time for compliance.
- Handling complex requests: The ICO offers guidance on managing complex or manifestly unfounded requests, allowing employers to refuse to comply if the request is ‘manifestly unfounded’ or ‘manifestly excessive’. Examples of how an employer should assess whether this is the case are given in the guidance. However, each request should be considered on its facts, and if in any doubt, legal advice should be sought.
- Exemptions: The guidance outlines situations where data may be exempt from disclosure, such as protecting legal privilege or third-party data. Employers have a wide discretion to determine whether it is reasonable to withhold/disclose third parties’ personal data, which is intermingled with the requestor’s data.
- Settlement/non-disclosure agreements (NDA): subject access is a key right for individuals that cannot be overruled by a settlement/NDA. Such overruling would be unenforceable under data protection legislation.
- Fees: In most cases, employers cannot charge a fee for responding to data subject access requests.
The new ICO guidance is welcomed because dealing with data subject access requests can be resource-draining, costly and time-consuming. Nevertheless, it does not displace the onerous burden data subject access requests place upon employers. Dealing with data subject access requests can be a hard and time-laborious exercise for employers, particularly where the data subject access request is being used to gather evidence for an ongoing internal dispute or employment tribunal claim.