Last year the ICO received over 15,000 complaints about failures to comply with subject access requests (SARs). While these were not all employment-related, the ICO believes that some employers are misunderstanding their obligations to respond to SARs or underestimating the importance of complying with data protection obligations.
The guidance takes the form of Q&As for employers to help them respond to SARs in a proper and timely manner.
The Q&As confirm:
- There are no formal requirements for making a SAR. A worker can make a request verbally or in writing, including via social media. All they have to do is make it clear that they are asking for their personal information.
- An employer can ask a worker to specify the information they want under a SAR. This is only appropriate if the employer processes a large amount of data about the worker, for example because of the length of the employment relationship, and needs the clarification to respond. If a worker continues to ask for all their personal information, the employer should conduct reasonable searches. A request will not be manifestly excessive simply because it asks for a lot of information.
- A request will be manifestly unfounded if a worker does not genuinely want to exercise their rights or is making the request to cause disruption. For example, if a redundant employee makes a SAR, but offers to withdraw it in return for additional financial compensation, this could indicate that the request is not genuine.
- A settlement agreement cannot override the right to make a SAR. Provisions in a settlement agreement that purport to waive or limit a worker’s information rights will not be enforceable.
- An employer cannot refuse to comply with a SAR because it is made in the context of a grievance or tribunal proceedings. It would still need to identify an applicable exemption before it could withhold information. Disclosure rules are different from the rules that apply to SARs and serve a different purpose.
The Q&As outline the exemptions on which employers responding to a SAR are most likely to rely when deciding whether they can withhold information. Employers must apply exemptions on a case by case basis and record their reasons for doing so.
Information about other people
Employers do not have to disclose information about other people when responding to a SAR, unless the third person consents to the disclosure or it is reasonable to disclose information without their consent. The Q&As suggest that witness statements gathered in connection with a disciplinary issue may not have to be disclosed in response to a SAR, particularly if the employer took statements on a confidential basis.
The UK GDPR exempts confidential references provided for employment purposes from SARs. An employer should notify staff, through privacy notices, policies or staff handbooks, if it is policy to provide references on a confidential basis. If this is not made clear, requests for references through SARs should be dealt with on a case by case basis.
Employers can refuse to provide information processed for management forecasting or planning if this would prejudice the conduct of the business. The Q&As indicate that information about a proposed redundancy exercise would fall within the exemption.
Negotiations with the requester
Information about intentions in negotiations with the person making the request is exempt if disclosing the information could prejudice the negotiations. The example in the Q&As indicates that this would cover a situation in which an employer refuses to disclose personal information contained in on-going negotiations about a settlement agreement. However, the exemption would not be available if an employee made a SAR after a settlement agreement was concluded, as disclosing information at that stage would not prejudice negotiations.
The guidance is a helpful reminder of the basic principles and indicates the ICO’s view of some of the issues employers often face in connection with employee SARs.
The Q&As reflect that the circumstances in which an employer can refuse to comply with an employee SAR on the basis that it is manifestly unfounded or excessive are currently very limited. It remains to be seen whether this will change if the test is changed to cover requests that are vexatious or excessive, as proposed in the Data Protection and Digital Information (No 2) Bill.
Authored by Jo Broadbent, Anvita Sharma and Stefan Martin.