New guidance for employers on data subject access requests

The Information Commissioner’s Office (ICO) has published new guidance for employers on subject access requests (SARs). The ICO’s accompanying press release reports that, in the last year, 15,848 complaints relating to SARs were reported to the ICO, an indication of the significance of this area of data protection.

The guidance is in the form of Q&As which, although they reflect existing ICO guidance on the right of access, contain helpful examples on the various exemptions that may allow employers to withhold or limit the information they supply when responding to a SAR. The guidance stresses that exemptions must be applied on a case-by-case basis and employers must justify and document the reasons for relying on them. The exemptions include:

• Information about other people – for example, if the employer is providing notes that related to the worker’s performance, details about the performance of others can be redacted. Similarly, an employer could decide not to disclose the witness statements relating to a disciplinary issue if they were given with the expectation of confidentiality and redaction would not prevent the writer’s identity from being disclosed.
• Confidential references. There is an exemption for confidential references provided (or received) for employment purposes. The Q&A says that employers should make it clear in privacy statements, staff handbooks or policies that they treat references as confidential. 
• Management information. Employers can withhold personal information processed for management forecasting or planning about a business, if disclosure is likely to prejudice the conduct of the business. For example, if during a restructuring exercise, a SAR asks about redundancy selection pools, an employer might decide to withhold the information and respond that it cannot confirm nor deny that it holds the information.
• Information included in a record of intentions in negotiations with workers (about a severance package, for example) can be withheld, but only if complying with the SAR could prejudice the negotiations. This is likely to apply only during the negotiations and the employer must demonstrate how the negotiations would be prejudiced.

The Q&As highlight other issues for employers to consider:

• An employer can refuse to comply with a SAR if it can show that it is “manifestly unfounded or manifestly excessive”. The “manifestly unfounded” exemption will only apply if the SAR is malicious or the individual clearly has no intention of exercising their right of access. To rely on “manifestly excessive”, the employer must assess whether the request is “clearly or obviously unreasonable”. This is a difficult balancing act, based on whether the SAR is proportionate when weighed against the costs of compliance, with the employer’s resources a relevant factor. An important point to note is that a request is not necessarily excessive merely because it asks for a large amount of information.
  Although not mentioned in the Q&As, there is a helpful amendment in the Data Protection and Digital Information (No. 2) Bill currently going through Parliament; as drafted, the Bill would change the threshold for refusing a request from “manifestly unfounded or excessive” to “vexatious or excessive”.
• The time limit for responding (ordinarily within one month of receipt) can be paused while the employer clarifies the request, but only if the business processes a large amount of information about the individual. The employer can ask for additional details about the SAR but cannot make the individual narrow their request. The one-month time for response can be extended by a further two months if the employer can show that the request is “complex”. 
• SARs do not have to be in a particular format – all the worker needs to do is make it clear, verbally or in writing (including by social media), to anyone in the organisation, that they are asking for their own personal information. Employers should therefore ensure that they have a designated contact for SARs, and that staff are made aware of the contact details.
• A settlement agreement cannot override SAR rights and an employer cannot refuse to comply with a SAR simply because there is an ongoing grievance or proceedings in an employment tribunal. 
• If an employer uses social media platforms, these must be searched for personal information in response to a SAR.