Responding to SARs - Is there new guidance for employers?
The Information Commissioners Office (ICO) received over 15,000 complaints between April 2022 and May 2023 relating to Subject Access Requests (SARs). This has prompted the ICO to publish guidance for employers on responding to SARs.
The Policy Group Manager of the ICO believes companies are misunderstanding SARs and their obligations regarding them. Therefore, this newsletter serves as a useful reminder and Q&A on compliance with SARs with a particular focus on some highlighted examples from the ICO that employers may find useful.
Reminder: what is a SAR and why do employees submit them?
In the UK, people have the right to access their personal information held by any organisation under the Data Protection laws. (General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA)). This is called a Subject Access Request (SAR).
Employees, or former employees, make SARs to gain access to a copy of the personal data you hold about them. This may be because they want to ensure that the information you hold is up to date, or they may suspect that their data is being mishandled. More often than not, however, SARs are used when there is ongoing workplace conflict, and the employee may resort to a SAR to gather information they feel is or could be relevant. It is commonly used as a tactic to try and obtain a more favourable settlement offer. This is because responding to a SAR can be a very time-consuming process for an employer depending on the volume of data involved.
Can you ask an employee to clarify their information request?
Yes, you can. Often, employees send vague requests such as ‘what information do you hold on me?’ and, even though this is an example of a SAR, it can be difficult for you to know exactly what the employee is requesting here. You could ask the employee to specify the information or processing activities they are looking for before responding to the request.
The time limit for responding to the request is 1 month, this is then paused until clarification is received. However, be cautious, as you should only do this when clarification is genuinely required, or you process large amounts of data on the employee requesting their information. If the employee refuses to or cannot narrow their request, then the ICO expects employers to carry out reasonable searches to comply with the request.
It is important that proactive efforts are made to clarify or comply with the request, simply using clarification as a tactic to stall the process or to not respond to a request may lead to a complaint to the ICO.
Do we have to disclose emails that the worker is copied into?
The ICO has clarified that it is ultimately up to you as an employer to determine whether any of the information in the email is the requesting employee’s personal information.
It is important to remember:
- The right to personal data only applies to the requesting employee’s personal information contained in the email. This means you may need to disclose part of an email to comply with their SAR
- Just because the email is not primarily about the requesting employee, does not mean it does not contain their personal information.
- Just because the requesting employee receives an email, this does not mean the whole of its contents is their personal information. The context is key to deciding this, however, their email address and name is their personal information and must be disclosed.
Example – Where an employee requests copies of all emails
An employee requested copies of all emails containing their personal information. The emails include an invitation, along with colleagues, to a team event to award team members who had closed the most cases. The email also contained a ‘league table’ with top five best performing team members.
As the content relates to the requesting employee, the email counts as their personal information and you should therefore disclose it. However, you should redact the names of other people included in the email before disclosing it.
Do we have to include searches across social media?
Yes. If your company uses social media platforms such as Facebook, WhatsApp, Twitter and chat channels such as Microsoft Teams and Zoom, then you are the controller of the information processed on those pages.
It’s important to be aware that if personal WhatsApp chats are used for work purposes, these could become disclosable too. The UK GDPR applies to any social media activity carried out in a commercial or professional context.
You therefore must search these platforms for the requesting employee’s personal information if you receive a SAR request.
You should also consider social media posts supplied to you by others. For example, if your Company has a Facebook page on which employees can post comments on activities and events run by the company, and an employee submits a SAR for their personal information, including comments posted on your company’s Facebook page, you should review the social media posts and supply them to the worker as part of the SAR response.
What if the request would include the personal information of another person?
- Witness statements
Often, employers and HR professionals are faced with the question of whether witness statements of other employees and individuals, from internal disciplinary or investigative procedures, should be disclosed in response to a request for information.
The ICO gives new guidance in this area, reminding employers and HR of their duty of confidentiality. When an employee or individual is given an expectation of confidentiality when providing a statement, and there are no other means to protect their identity, then these statements should be withheld in the response to the request.
Example – where a request is received for copies of witness statements
You receive a request from an employee for copies of witness statements in response to an allegation of bullying towards a junior member of staff, in which the employee was allegedly involved. You asked for witness statements from colleagues who witnessed the incident on the basis that the statements would remain confidential.
In the first instance, you considered:
- what personal information, either about the requester or the witnesses, was included in the statements.
- that the witnesses had been assured of confidentiality by HR; and
- whether you could redact the statements without disclosing the identity of the writer.
Having considered the above, you decided to not disclose the witness statements, on the basis that:
- they were given with the expectation of confidentiality; and
- redaction would not prevent the writer’s identity from being disclosed.
This would be compliant according to ICO new guidance.
A whistleblower’s report is likely to include information about those suspected of wrongdoing, as well as that of the informants or other witnesses.
There needs to be a balancing exercise of the requester’s right to access and the whistleblower’s right to confidentiality.
Whistleblowers are protected by the Public Interest Disclosure Act 1998 (PIDA 1998). So, you must balance the competing interests of PIDA and data protection legislation.
Example – where a whistleblower makes a report to the FCA
A bank worker makes a whistleblowing report to the Financial Conduct Authority (FCA) about a manager. The manager subsequently makes a SAR to HR. The bank decides not to disclose the whistleblowing report in this request in order to not prejudice the ongoing investigation against the manager, and this would be an example of a lawful refusal to comply.
How 3CS can help