Data protection – ICO's new guidance on data subject access requests

Out-Law News | 05 Nov 2020 | 1:18 pm |

Leanne Francis comments on the ICO’s new guidance on handling data subject access requests from employees.
Pinsent Masons Video

We're sorry, this video is not available in your location.

  • Transcript


    Data protection – new detailed subject access request guidance published by ICO

    The Information Commissioner’s Office (ICO) has published detailed guidance on subject access requests which should help employers when it comes to handling requests more effectively and efficiently – it's aimed at data protection officers and those with specific data protection responsibilities in larger organisations. A reminder - data subject access requests are an important part of the data protection regime. Individuals have the right to make data subject access requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it. As an HR professional you are most likely to see these requests coming from current employees, job applicants and former employees. So, for example, in the context of a dispute where an employee could ask to see all the notes and witness statements relating to his or her grievance or disciplinary proceedings, or perhaps a request from an unsuccessful job applicant who suspects that he or she has been discriminated against, and we see that a lot. As for the new guidance, this initially went out for consultation back in December last year and it resulted in over 350 responses from organisations of all sizes, and across all sectors, who were in broad agreement in wanting the whole process simplifying. So to that end there were calls for additional content and examples, and clarification on some aspects of the law that aren’t so clear-cut. The guidance has now been published and, interestingly, the ICO’s blog confidently states it thinks it has succeeded with that task. They say they have provided clarity on the three key points which were raised in the consultation which are: (i) stopping the clock when employers thought requests didn’t leave enough time to respond; (ii) making clear what amounts to a request which is manifestly excessive; and (iii) what can be included when charging a fee for excessive, unfounded or repeat requests. So what do we make of the new guidance? On the line data protection specialist, Leanne Francis:

    Leanne Francis: “There's no doubt that this new guidance is very welcome and for employers because it supplements the old guidance and clarifies some of the grey areas that have really persisted since the new Data Protection Act was introduced in 2018 and it is very detailed and very practical guidance. One of the most interesting areas of the guidance, for me, is the explanation of what amounts to a complex data subject access request. At the moment employers have just 30 days to comply with the DSAR, which in most circumstances is not enough time. The legislation allows for a further two months to comply where the DSAR is complex, but no one really knew what that meant. What the ICO has done is listed a number of circumstances where we might be dealing with a complex DSAR, but actually these are fairly niche and in my experience we don't tend to come across those examples very often. The ICO has also said that the mere fact that there is a large volume of data does not in and of itself mean that the request is complex, and much will depend on the size and resources of an employer.

    Perhaps what is more helpful in the guidance is that it does talk about what's called the “stop the clock” provisions which is something that is perhaps used less often by employers. This allows an employer, where they are trying to reduce the scope of a DSAR with the employee, perhaps because it's too wide, that can take a long time and on what the ICO is saying is that that will pause time until you're able to reach agreement over exactly what it is the employee is looking for. The guidance also goes on to explain that employers are still required to go to reasonable or proportionate efforts to comply with the DSAR. The old guidance referred to extensive efforts – it’s not clear whether that really makes any difference and the ICO are still saying that there's a high expectation on employers to comply. This is still seen to be a fundamental right of a data subject to request access to their data but I think what it might be is, perhaps, a little bit of a nod to employers that where you have a difficult employee who is refusing to narrow the scope of their request, and being very unreasonable, that an employer may be able to unilaterally decide that they don't need to do a forensic response to a DSAR and that they can have one eye on the size of their organisation and the resources available to them.

    The guidance is also helpful because it goes on to explain what “manifestly unfounded or excessive” means. Now, where a DSAR falls into this category the employer has the right to refuse it all together and the ICO lists a number of, again, fairly narrow circumstances where a DSAR might fall into this category. So it gives an example of an employee who says, for example, I will withdraw my DSAR if you give me a settlement agreement, or an employee who explicitly states that they're doing this out of malice or to cause trouble. Now, in my experience, this rarely happens, employees are a little bit cleverer about that. They may have a collateral purpose they might be doing as part of a fishing exercise, they might be doing it to add pressure to an employer in a negotiating situation, but that isn't enough in and of itself to refuse a DSAR. So we do have to be really careful about applying this exception and, if we do use this exception, then we would want to have our decision very, very carefully documented. The guidance also talks about the fact that employers need to get their systems and their processes in order.

    This is a right that has existed way before 2018. Employers need to make sure that they have teams of people within their organisations who know how to handle a DSAR from start to finish and at Pinsent Masons we often train these in-house DSAR teams so that they know how to handle what is a fairly complex job. It also talks about having consistent policies and checklists in place, having an asset register where you are able to find very quickly the areas in which you store your data, and also talks about retention, so making sure that we're refining the data that we store and we're only keeping what is really necessary because, of course, the less data you have the easier it is to comply with a DSAR. So overall, it's helpful guidance. I think there are still some questions that remain for employers but it is, of course, essential reading for anyone handling a DSAR, especially as we start to see a rise in DSARs in the context of redundancy exercises and grievances.”

    We should point out that you can, of course, find that new guidance on the ICO’s website. If you are not familiar with that website and you have responsibilities in this area, you will find it a very good source of information and help – very well set out, very practical and full of working examples.