The Information Commissioner’s Office (ICO) recently released new guidance on how employers should deal with subject access requests from workers. Although the law hasn’t changed, the ICO has provided a number of user-friendly examples to help you as an employer comply with the existing law.
This blog explains what a subject access request is, and when and how you should respond if you receive one.
What is a subject access request?
A subject access request (or SAR) is an individual’s right to access personal data that you hold about them. It can require you to do any combination of the following:
- confirm whether you have any personal data about the individual, and if so, what and where it came from if you did not get it from the individual directly;
- provide copies of any of that personal data; and/or
- provide details of what you are doing with that personal data and why.
There are no formal requirements for how to make a SAR (eg they can be made verbally or in writing (including via social media), and they can be directed to anyone within your organisation). However, the ICO advises that you should have a designated person or team and email address for dealing with SARs.
If you receive a subject access request (whether from an employee or a member of the public), you should identify exactly what action you need to take in response to the request before embarking on the search for the relevant data. See our Checklist for responding to a subject access request for a step-by-step checklist summarising the process.
How long do I have to respond to a subject access request?
As an employer, you must respond to a subject access request from a worker within one month of receiving the request, although you may be able to extend the time limit by up to two months if the request is complicated or they have sent you multiple requests.
Ignoring such a request or failing to reply adequately can lead to sanctions from the ICO and (in the worst cases) significant fines.
For more guidance on responding to subject access requests from individuals, see our Q&A.
Will it always be obvious that something is a subject access request?
Not necessarily; a request doesn’t have to include the words ‘subject access request’, ‘Article 15 of the GDPR’, or ‘right of access’. Any request for personal information should be considered a SAR. Examples provided by the ICO in their recent guidance include:
- ‘Please send me my HR file.’
- ‘Can I have a copy of the notes from my last appraisal?’
- ‘What information do you hold on me?’
- ‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning?’
Can I request clarification for a subject access request?
Yes, but only if your business processes significant amounts of information about someone and the clarification is genuinely needed to respond to the SAR. For example, if a worker asks for ‘personal information you hold about them’, you might ask them whether they want all their personal information, or specific information only. You can’t ask them directly to narrow the scope of their request, but if they come back and ask for specific information only, this can help you to process their request. If your worker says they want all their personal information, the ICO advises that you should carry out reasonable searches to comply with their request.
If you do ask for clarification (assuming you have appropriate reasons to justify the clarification), the timeframe for responding to the request will be paused until you receive their clarification.
Can I refuse a subject access request?
There are some limited exceptions which may mean you do not have to give a person some or all of the personal data they have requested (for example, where the personal data also relates to another individual, data is prejudiced or commercially sensitive, or data relates to confidential references or health). You can find further guidance on these exceptions in our Q&A.
If you refuse to comply with a request, you must let the individual know, explaining why and telling them that they have the right to complain to the ICO or to enforce their right through taking legal action.
You can also refuse any request for access to an individual’s personal data if it is manifestly unfounded or excessive. The ICO has provided guidance with examples of what kind of behaviour might meet these criteria; for example, a request may be manifestly unfounded if it is being sent with no real purpose other than to cause disruption.
A request might be manifestly excessive if it is very disproportionate in the circumstances; you should take into account the context of the request, including your available resources and the nature of the requested information when making this determination. As an alternative to flatly refusing the request, you can charge the person a reasonable fee to cover your costs of complying.
The ICO has provided some examples of manifestly unfounded and manifestly excessive requests in the employment context:
- A worker, after being made redundant, submits a SAR to you as their former employer. They state that they are making a SAR in accordance with the UK GDPR and will withdraw it if you can agree on an improved financial package. You can refuse this request on the grounds it is manifestly unfounded.
- A former worker submits a SAR requesting all their personal information processed during their employment. You provide an electronic copy of the personal information to the worker as agreed. The worker subsequently submits another SAR and asks you to resend the information in hard copy format and in chronological order. Provided you take into account all the circumstances of the request (eg whether new information has been collected in the meantime or whether the information will be largely repeated) you should be entitled to refuse the request.
If you aren’t sure whether a request is manifestly unfounded or excessive, you can contact the ICO for help. They may suggest steps like:
- requesting clarification to narrow down the search; and
- considering whether you can supply information in a summary, for example if a worker has asked for all their personal information, you could advise them that a certain number of emails contain only their name, email address, and signature.
Do I have to disclose emails that my worker is copied into?
Ultimately, it is for you to determine whether any of the information in a worker’s email (apart from their name and email address) is their personal information. However, as advised by the ICO in their latest guidance, it’s important to remember that:
- the right of access applies to the worker’s personal information contained in the email;
- whether the email is the worker’s personal information depends on the content of the email and whether it is about the worker; and
- just because the worker receives an email, this does not mean that the whole content of the email is their personal information. You’ll need to look at the context of the email to determine this.
For example, if a worker requests copies of all emails containing their personal information, and one of the emails includes information about the five top performing team members, you should redact the names of other people disclosed in the email before giving it to your worker.
Do we have to include searches across social media when dealing with subject access requests?
Yes. If your company uses social media platforms for business purposes, you must search those platforms for any personal information. Additionally, social media posts or screenshots supplied to you by other workers can potentially be included.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.