ICO Publishes New Guidance for Employers on 5th anniversary of GDPR – Complying with Subject Access Requests

The Information Commissioner’s Office (‘ICO’) released new guidance on 24 May 2023 to organisations and employers in respect of responding to subject access requests (‘SARs’).

The right of access, commonly referred to as a subject access request, gives an individual the right to request a copy of their personal information from organisations. In the case of requesting information from an employer or former employer this could include details of their personnel file or HR records. Individuals are entitled to know where the organisation obtained their information from, what they’re using it for and who they are sharing it with.

Generally, organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. Failure to comply and respond to SARs constitutes a breach of data protection law and organisations can be subject to fines or reprimand by the ICO as a result.

The ICO’s latest guidance confirms that during the period between April 2022 and March 2023 it received 15,848 complaints relating to SARs. The ICO commented that lot of employers and organisations seem to misunderstand SARs, the required form of a request and the importance of responding to same. The ICO’s updated guidance confirms that requests can be submitted to organisations informally such as over social media and they do not have to actually contain the words ‘subject access request’ in order to qualify as a legally binding request. The guidance also deals with practical issues regarding SARs, non-disclosure and settlement agreements and how to deal with requests involving third party data.

The ICO has published this guidance in a user-friendly Q&A format to answer some of the frequently asked questions received from organisations to ensure that they are not caught out. The ICO guidance provides a reminder to organisations that if they continue to fail to respond to SARs, the ICO will not hesitate to take appropriate action and issue fines in respect of same.  Therefore, we would encourage all employers and organisations to assess their current practices and procedures regarding SARs and ensure they align with the ICO guidance which is available via the following link:  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employers/sars-qa-for-employers/

Should you require advice or assistance in relation to any of the above please do get in touch with Niamh McMonagle in our Employment Team.