ICO Guidance on Data Subject Access Requests

On 21 October 2020, the Information Commissioner’s Office finally published what it called “detailed guidance” on Data Subject Access Requests (DSAR). Despite taking some 18 months to be released, the guidance should not be overlooked as it contains many useful pointers for employers who are having to deal with more and more subject access requests, some of which, especially when litigation is contemplated, are extremely onerous.

DSARs – the basics

Firstly, the Data Protection Act 2018 (DPA) has been modified since the end of the Brexit transition period and although most of the principles of the GDPR remain, not all do.  Data protection in the UK is now governed by the DPA and the UK GDPR. The UK GDPR gives individuals (“Data Subjects”) the right of access to their data; however, it is important to remember that when responding to any DSAR, the employer must all supply the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with the Commissioner;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, if any (and other information about that if used); and
9. if their personal data is transferred outside of the UK, what safeguards are in place.

Unless otherwise requested by the individual, information should be provided in electronic form where the individual made the request in electronic form.

The employer must produce copies of the information it holds in permanent and intelligible form. This may include a copy of the employee’s personnel file, but is likely to go far further than just this.

Three important points are worth noting:

• The UK GDPR does not specify how to make a valid request. An individual can make a subject access request to their employer verbally or in writing. It does not have to be to any specific person. A request does not have to include the phrase ‘subject access request’; it just needs to be clear that the individual is asking for their own personal data.
• The employer should respond promptly to such a request and within one month (subject to any extensions granted)
• Employers are no longer permitted to charge individuals for providing the information (subject to certain exceptions).

What clarifications does the guidance make?

Requests beyond one month

“What should we consider when responding to a request?” discusses when you can ask for an extension beyond 1 month. It’s not in all cases: it has to be “complex” or the employer has to have received a number of requests from the individual. The guidance discusses what is “complex” and gives a helpful list of examples.

There is a “stop the clock” process if you ask for clarification about the request, but you can’t ask for clarification as a blanket approach. You can only request clarification if it is genuinely required and you process a large volume of information. You cannot force an individual to narrow the scope of their request. The “clock” starts again when the clarification is received.

Charging a fee

The same section “What should we consider when responding to a request?” discusses when you can charge a fee. This is when the request is manifestly unfounded or manifestly excessive or an individual asks for further copies of their data following a request. The guidance discusses how you could determine what a reasonable fee is, and what fees could consist of e.g. photocopying, printing, posting, equipment and supplies (eg USBs) and staff time. There is currently no limit but fees must be based on unbiased criteria. If you are able to charge a fee, you do not need to comply until you have received it, but should request and explain the fee as soon as possible.

Refusing to comply with a request

There are exemptions that may be relied on which allow an employer to refuse to disclose certain personal data, for example where it relates to management forecasting, where legal professional privilege applies or in relation to references given or received.

A subject access request may also be refused if the request is demonstrably manifestly unfounded or manifestly excessive. The section “When can we refuse to comply with a request?” sets out what is considered by these expressions.

Manifestly unfounded, for example could mean:

• “the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
• the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption”.

Manifestly excessive, for example could mean:

• “clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request”. 

There is a list of what should be taken into account.  It is important to remember that just because a request is large does not necessarily mean it is excessive.

If the employer refuses to comply with a request, it must inform the individual of:

• the reasons why (and, if on the grounds of manifestly unfounded or excessive, the employer must demonstrate why it believes this);
• their right to make a complaint to the ICO; and
• their ability to seek to enforce this right through the courts.

How far do you need to go?

The section “How do we find and retrieve the relevant information?” is helpful regarding the lengths to go to in order to find the information.

The guidance addresses archived data, deleted data and information stored on, perhaps, another employee’s personal (not employer-given) equipment. It also discusses how to deal with situations where there are huge amounts of emails which the data subject may have received or been copied in on but which contain no other personal data about them. It suggests you could just state how many emails the employer holds with them as a recipient and the email address used: this is personal data but nothing else in the email is.

Information about others

As we know, care must be taken when information which has been requested also contains information regarding third parties (e.g. any person other than the individual who made the subject access request).  There may be a need to ask that other person to consent to the information being made available to the data subject or it may be considered preferable to blank out information which might identify that other person.

The guidance contains a whole section on “Information about other individuals” and how to approach that.

There are various other helpful sections covering, for example, unstructured manual records and ICO enforcement.  Employers must remember that data subjects can make an application to the court to order access to personal data, or to award compensation for material or non-material damage for a breach of the UK GDPR, which could include refusing to correct inaccurate data, failure to provide them with the information required in a privacy notice, unauthorised disclosures of their personal data, or a delayed response to a subject access request.

Our specialist Employment law team work closely in conjunction with our Commercial Data Protection team and can advise extensively on how to handle individual data subject access requests.

This article is part of the Employment Law Newsletter – Winter 2021