Out-Law News 2 min. read

UK ICO publishes new employer guidance on subject access requests


The UK Information Commissioner’s Office (ICO) has issued new guidance for employers on how to handle subject access requests (SARs).

Stephanie Lees of Pinsent Masons said the ICO’s SAR guidance is useful for employers who have been grappling with SARs raised in the context of employment disputes.

The ICO received over 15,000 complaints related to SARs during April 2022 and March 2023. The ICO said employers regularly misunderstood the nature of SARs, and that organisations which fail to respond to SARs promptly, or at all, can be subject to fines or a reprimand.

Lees said the ICO’s warning reflects a general increase in the level of enforcement action being raised for non-compliance with SARs, particularly with the ICO’s increased use of reprimands. The guidance reiterates that employers cannot simply refuse SARs due to upcoming tribunal proceedings or if they are in the middle of a grievance process.

Under the UK General Data Protection Regulation (UK GDPR), employers can refuse SARs if they are manifestly unfounded or excessive. An example cited in the ICO’s guidance suggests that employers might be able to refuse a SAR from a former employee if it is being used for tactical reasons to secure a higher settlement, where the employee acknowledges they will withdraw a SAR if an employer agrees to an improved financial package.

“The ‘manifestly unfounded’ threshold is a high one for employers to satisfy, but the example included in the ICO’s guidance is useful, suggesting that employers might be able to refuse these requests entirely,” she said. “Employers which receive SARs are forced to weigh up the costs of complying with the request against the costs of a settlement.”

The guidance also confirms that any provision included in a settlement agreement which limits a worker’s right of access will be unenforceable and does not waive a worker’s rights. Lees said: “Employers should take note of the ICO’s position on this, as if an employer pauses its work on a SAR pending a settlement agreement being signed, then they risk missing the deadline if the agreement falls through. In those circumstances, it would appear the ICO would take a dim view for this non-compliance.”

One section addresses how to tackle witness statements used for disciplinary purposes which have been requested as part of a SAR. These often presents challenges for employers on how to tackle third party data, with statements usually containing mixed data between the requester and third parties. In such cases the guidance explains the factors that must be considered when applying the third-party data exemption, set out in the 2018 Data Protection Act.

These factors include: the reasonable expectations of the other person and, in particular, any duty of confidentiality you owe to them; any express refusal of consent by the other person and whether they are capable of giving consent; the type of information that you would disclose; and in a work context, factors such as a person’s seniority and role. In the example given in the guidance the employer, after it has considered those factors, decides to not disclose the witness statements on the basis that they were given with the expectation of confidentiality and redaction would not prevent the writer’s identity from being disclosed.

“While this new guidance is not ground-breaking, employers will still welcome the clarification. The balancing test for third-party data can raise practical challenges for employers, who often must make a defensible decision on whether to withhold witness statements after working through the above-mentioned factors,” Lees said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.