Harriet Dwyer tells HRNews about the ICO’s new guidance on handling data subject access requests

We're sorry, this video is not available in your location.

  • Transcript

    The Information Commissioner’s Office, the ICO, has issued new guidance for employers on how to handle data subject access requests, or DSARs as they are often called. It replaces the initial ICO guidance of April 2018 and comes with a message to employers that ‘It’s important not to get caught out” when it comes to responding to requests from people who want copies of personal information about them. That information is typically things like attendance and sickness records, personal development or their HR records.

    The ICO says it received over 15,000 complaints related to DSARs during April 2022 and March 2023 and that employers regularly misunderstood the nature of requests meaning they often fail to respond to promptly, or at all, leaving themselves open to fines or a reprimand - hence the ICO’s alert. The guidance reiterates that employers cannot simply refuse DSARs due to upcoming tribunal proceedings – a common excuse – or if they are in the middle of a grievance process.

    Under the UK’s GDPR, employers can refuse DSARs if they are ‘manifestly unfounded’ or ‘excessive’ and, whilst that is a high bar, helpfully the guidance gives an example of when it might be cleared. Namely, if the requests is being used for tactical reasons to secure a higher settlement, where the employee acknowledges they will withdraw a SAR if an employer agrees to an improved financial package. That’s because employers receiving DSARs are forced to weigh up the costs of complying with the request against the costs of a settlement. The guidance also confirms that any provision included in a settlement agreement which limits a worker’s right of access will be unenforceable and does not waive a worker’s rights.

    So, let’s get a view on this. Harriet Dwyer is a data protection specialist and earlier she joined me from Birmingham to discuss it. I put it to Harriet that there’s no set format when it comes to submitting a DSAR:

    Harriet Dwyer: “Yes, that’s exactly right, Joe. So, the guidance makes clear that when an individual is requesting their personal data, they don't specifically have to refer to the GDPR or the fact that they are actually making a data subject access request and employers really need to be alive to that and recognise when an employee is asking for personal data which might be in informal communications, it could be done verbally, it could even be made via social media. Employers just need to be really careful to ensure that they are recognising those requests, and then are treating them as data subject access requests and responding to them in accordance with the legislation and the frameworks.”

    Joe Glavina: “It’s interesting that the ICO have confirmed that the settlement agreement that limits an employee's right of access is unenforceable. Is that common, Harriet?”

    Harriet Dwyer: “It's something we see quite frequently, Joe. The difficulty for employers, and for our clients, is that responding to a data subject access request is really timely, it's really costly, and so where they are raised in the context of litigation, or some other kind of dispute ongoing with the employee, it might be that they are having settlement conversations as well. So, what we do see is employers seeking to wrap up an ongoing data subject access request within a settlement agreement as well and that's very much a commercial consideration, and quite a reasonable one really, when you think about the cost and time involved in responding to DSARs. The caveat to that, however, is the fact that the ICO do you make clear that waiving a data subject access request right in a settlement agreement won't necessarily be enforceable so where employers are thinking about including those clauses they need to do so with caution and also bear in mind the fact that the DSAR deadline could be looming and so if, for some reason, settlement negotiations fall through, or you don't conclude an agreement within a certain timeframe and the deadline for responding to the DSR has been gone, the ICO probably won't have very much sympathy with an employer in those circumstances.”

    Joe Glavina: “What about witness statements used for internal disciplinary or investigation purposes? Would that have to be disclosed in response to a DSAR?”

    Harriet Dwyer: “Again, that's a really difficult, but common, situation we see our clients facing when responding to DSARs, especially in the in the context of litigation or other disputes. That’s typically because the background to the case is there has been a disciplinary, or there has been a grievance, and as part of those processes there are witness statements that are taken by third parties and in those situations, you've got a very difficult balancing exercise because the witness statement will include the third-party personal data, but also the personal data of the data subject. So, our clients really have to grapple with whether or not they can, or should, disclose those witness statements. So, what we advise our clients is that there is an exemption, there's a third-party personal data exemption that can be relied on, and we have to weigh up, basically, the rights of the third party and the rights of the data subject and form a view, basically, on whether or not those witness statements can be disclosed. In carrying out that balancing exercise we'll be thinking about things like the reasonable expectations of the third party, whether they have any duty of confidentiality towards those third parties, perhaps whether the third party might, or could, give consent to the disclosure. But what's really helpful in the recent ICO guidance is they touch upon this, and they give their own example, and in their example, they actually reach the conclusion that the third party witness statement would not be disclosed, especially where redactions wouldn't conceal the identity of that third party.”

    Joe Glavina: “I’d just like to move on to fishing expeditions, because very often when these requests come in, the relationship is breaking down and you get the feeling the individual is arming themselves for litigation further down the line. Does that justify an employer not responding?”

    Harriet Dwyer: “No, it doesn't. Just because an employee is raising a DSAR and it's evident to the employer that it's a fishing expedition, it's still fundamental that employers respond to those DSARs. In the context of litigation, it's likely that the employee will take any response, or lack of response even, to a DSAR to a lawyer and that might create further and additional complications for the employer later down the line. It could also be that they take a complaint to the ICO and, again, the employer has to deal with any fallout from that. So, it's really important that although it might appear to be a fishing exercise that employers are responding to DSARs properly and within a timely manner. It’s something we see a lot. Our advice to clients is carry out a reasonable search. It doesn't have to be too far wide ranging, we can apply search parameters, and different criteria, that will enable employers to respond adequately to a DSAR but the guidance, again, makes clear that the reason that they are issuing the guidance is because employers won't be let off the hook if they don't reply to DSARs, and could face a reprimand or a fine.”

    The ICO’s new guidance on DSARs takes the form of a series of Q&As and available from the ICO website. We have put a link to it in the transcript of this programme.


    - Link to ICO guidance on DSARs

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.