Skip to content

NEW ICO GUIDANCE FOR EMPLOYERS ISSUED: SUBJECT ACCESS REQUESTS (SARs)

NEW ICO GUIDANCE FOR EMPLOYERS ISSUED: SUBJECT ACCESS REQUESTS (SARs)

On 24 May 2023, the Information Commissioner’s Office (ICO) published New Guidance on SARS (Subject Access Requests) by way of a ‘SARs Q&A for Employers.’

The Headline to its Press Release states:
It’s important not to get caught out” which is then followed by 3 bullet points as follows:

  • ICO publishes new guide on responding to subject access requests;
  • Employers risk fine or reprimand;
  • Over 15,000 Subject Access complaints to ICO last year

This is perhaps signalling a harder line and potential crackdown by ICO going forward on employers who fail to respond to a SAR timely or fully.

The new Guidance reminds employers that SARs give individuals the right to request a copy of their personal information, but the response must also include details about:

  • Where they got their information from;
  • What they’re using it for; and
  • Who they are sharing it with.

The ICO comments that employers are misunderstanding the nature of SARS, or importance of responding.

The Guidance sets out a number of practical scenarios with responses. It makes the point that a SAR can also be submitted informally (such as over social media) and does not have to contain the words ‘subject access request’ in order to be one.

The Guidance covers the following key topics:

  • What is the right of access?
  • Do people have to submit a request in a certain format?
  • Can we clarify the request?
  • When can we withhold information?
  • Do we have to advise the requester if we are withholding information?
  • Do we have to comply with a SAR if the worker has signed a non-disclosure or settlement agreement?
  • Do you need to comply with a SAR if the worker is going through a tribunal or grievance process?
  • Do we need to disclose any non work-related personal information?
  • Do we have to disclose emails that the worker is copied into?
  • Do we have to include searches across social media?
  • We’ve had a request for CCTV footage, but it contains images of other people. Do we have to disclose it?
  • Can the ICO advise me what to include in a SAR response?
  • What happens if a worker isn’t happy with their SAR response?

The Guidance is drafted in a very plain English format with helpful examples provided. Businesses should ensure that they can identify a SAR, have mechanisms in place to properly respond, and do so within the 28-day period now provided by the law. We suspect given the number of complaints received last year that the ICO will be more likely take action against employers who fail to comply with their legal requirements. The Guidance is important for any person in the business responsible for responding to SARs.