Handling subject access requests (“SAR”) effectively and within the legal timeframe remains a challenge for many employers especially where SARs are becoming increasingly onerous. The amount of information held about employees and former employees (whether in a personnel file, internal memorandums, meeting notes or simply email correspondence) can be vast. Understanding from the outset how to respond to an SAR is crucial because failing to respond can expose the business to a claim, fines, enforcement action and reputational damage.
What is a SAR?
Individuals (e.g. employees) have a right to be informed by an organisation (e.g. their employer) whether or not it is processing personal data that relates to them and, if so, to be told:
- What personal data it is being processed.
- The purposes for which the personal data is being processed.
- Who, if anyone, the personal data is disclosed to.
- The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.
Employers are required to respond to an SAR by providing, in an intelligible form, copies of the personal data and any information about the sources of the data. There is currently a 40 calendar day time limit to respond to the request.
Recent cases and guidance
We have seen a number of significant court decisions on SARs this year and the principles from those judgements have been included in the revised code of practice issued by the Information Commissioner’s Office (the “ICO Code”). The key updates include:
- Reason for the request
SARs are often used by employees or former employees as a “fishing expedition” to obtain information in the context of disciplinaries, grievances and litigation, rather than for verifying/correcting their personal data. Previous court decisions have held that making an SAR in this context was an abuse of process and not the purpose of the legislation. However, recent cases and the ICO Code have clarified that an employee’s purpose for making the request is not relevant and employers need to respond regardless of whether the employee has an ulterior motive for making an SAR.
- Disproportionate effort
Employers can refuse to provide information where doing so would involve disproportionate effort. Difficulties throughout the process (from finding, analysing and providing the data) can be taken into account. However, employers must be able to show that they have taken all reasonable steps to comply with the request and, as the ICO Code notes, “should be prepared to make extensive efforts to find and retrieve the requested information.”
Whilst the ICO Code does not contain updates the reflect the changes coming into force through the General Data Protection Regulation next May, the right to make an SAR will be very similar, with the key changes including:
- Abolition of the £10 administration fee (although “reasonable” fees can be charged for manifestly unfounded or excessive request).
- Reducing of the timescale for responding to 30 calendar days rather than the current 40 days.
- Higher fines for failing to comply. The maximum fine that can be issued by the ICO is 4% of global turnover or 20 million euros, whichever is higher, and individuals also retain the right to pursue a claim in court.
The Dos and Don’ts
- Don’t ignore. This can lead to financial penalties, enforcement action, legal proceedings and reputational damage.
- Don’t delay. Dealing with an SAR is time consuming so engage the appropriate personnel and start locating the information as soon as you receive an SAR.
- Liaise with the individual if you need further information to verify their identity or to enable you to locate the requested information.
- Locate the personal data. Consider electronic systems and manual filing systems, back up data and any third party data processors (e.g. payroll and benefit providers) who may also hold relevant personal data.
- Redact information relating to other individuals unless you have their consent or it is reasonable in all the circumstances to provide that information.
- Consider whether an exemption applies where the data would be exempt from disclosure.
- Respond to the request within the timeframe, provide copies of the relevant data and explain if and why you are relying on any of the exemptions.
By Sarah Thompson, employment lawyer, McGuireWoods
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/