Ten tips on managing subject access requests

On 24th May 2023, the Information Commissioner’s Office (ICO) published guidance on subject access requests (SARs) for businesses and employers.

1 What is the entitlement?

Workers are entitled to a copy of their personal information from your organisation. This includes where you got their information from, what you are using it for and who you are sharing it with.

You must respond without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you several requests.

2 Do people have to submit a request in a certain format?

No. The UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR orally or in writing, including by social media. Workers can make requests to any part of your organisation and they do not have to direct them to a specific person or contact point. However, you should have a designated person, team and e-mail address for SARs.

The request does not have to include the phrases ‘subject access request’, ‘right of access’ or ‘Article 15 of the UK GDPR’. It just needs to be clear that they are asking for their personal information.

3 Can you clarify the request?

Yes. You could ask the worker to specify the information or processing activities they’re looking for before responding to the request. The time limit for responding to the request is paused until you receive clarification.

However, you should only seek clarification if:

  • It is genuinely required to respond to a SAR.
  • You process a large amount of information about the worker.

4 Can you withhold information?

Exemptions allow you to withhold some, or all, of the information requested. But you must apply exemptions case by case and you must justify and document your reasons for relying on them.

You can also refuse to comply with a SAR if it is either:

  • Manifestly unfounded.
  • Manifestly excessive.

5 What if the Information involves other people?

You do not have to comply with a SAR if doing so means disclosing information that identifies someone else, except where either:

  • They consent to the disclosure.
  • It is reasonable to comply with the request without that person’s consent.

To determine whether it is reasonable to comply without consent, you must consider all the relevant circumstances, including:

  • The type of information that you would disclose.
  • Any duty of confidentiality you owe to the other person/people.
  • Any steps you took to try to get the other person’s consent.
  • Whether the other person is capable of giving consent.
  • Any stated refusal of consent by the other person.

6 Must you comply with a SAR if the worker has signed a non-disclosure or settlement agreement?

Yes. People have the right to obtain a copy of their personal information from you. This right cannot be overridden by a settlement or non-disclosure agreement.

If a settlement agreement you have made with a worker limits their right to access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights.

7 Must you comply with a SAR if the worker is going through a tribunal or grievance process?

Yes. People have the right to obtain a copy of their personal information from you.

You cannot simply refuse to comply because of a grievance or tribunal process and you believe they intend to use their personal information to obtain information for potential litigation. If you believe it is not appropriate to disclose the relevant information you must demonstrate what exemption you are using and why.

Even if you have already disclosed the information through another statutory process, such as employment tribunal proceedings, you must comply with a SAR.

8 What if the worker was already copied into an e-mail?

The right of access only entitles the worker to obtain a copy of their personal information from your organisation. You must consider what part of the e-mail is the personal information of the requester. It also depends on the contents of the e-mail and the context of the information it contains.

Ultimately, it is for you to determine whether anything in the e-mail is the requester’s personal information. Remember:

The right of access only applies to the requester’s personal information contained in the e-mail. This means you may need to disclose some or all of the e-mail to comply with the SAR.

  • If the contents of the e-mail are about a business matter it may still be the requester’s personal information. This depends on the content of the e-mail and whether it is about the requester.
  • Even if the requester received the e-mail, this does not mean that the whole content of the message is their personal information. Again, the context of the information is key to deciding this. However, their name and e-mail address are their personal information, and you must disclose this information to them.

9 What about social media?

If your company uses social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams for business purposes, then you are the controller of that information.

The UK GDPR applies to any social media activity carried out in a commercial or professional context.

If you receive a SAR, you must search these platforms for any personal information if it falls within scope.

You should also consider social media posts supplied to you by others as potentially in scope. For example, if a worker submits a copy of a colleague’s WhatsApp group posts criticising their manager.

10 Must we disclose our CCTV footage, if it shows other people?

Yes. Workers who submit requests for footage that contains their personal information have a right to receive that information under data protection legislation. When installing CCTV, you should make sure you choose a system that allows you to easily locate and extract personal information in response to subject access requests. You should also ensure it allows you to redact third-party information where necessary. If your CCTV system has this functionality, it will likely enable you to comply with your data protection obligations.

If your CCTV system does not have this functionality, you still need to comply with your obligations. However, you should only disclose the footage if you have the other people’s consent to do so, or if it is reasonable to do so without their consent.

Source: SARs Q&A for employers