What’s this all about?
The UK data protection regulator the Information Commissioner’s Office (“the ICO”) recently issued “SARs Q&A for employers”. This article looks at this guidance in brief.
What is a Subject Access Request?
EU GDPR, UK GDPR and the UK Data Protection Act 2018 (“the DPA 2018”) allow individuals to make Subject Access Requests (SARs) to organisations where they can seek to obtain information about the personal data held about them by organisations, subject to certain important exceptions.
Once a SAR is received an organisation must usually provide the information requested without delay and at the latest within one month of receiving the request. If however a SAR is complex or the individual has made numerous requests, the organisation may extend the period of compliance by a further two months and must inform the individual of the extension within one month of the receipt of the request, and explain why the extension is necessary.
SARs are frequently made in the employment context.
What does the Q&A say?
Edited highlights of the Q&A include the following:
- “Do people have to submit a request in a certain format?
No. […] a worker can make a SAR verbally or in writing, including by social media.”
“Examples of SARs: ‘Please send me my HR file’; ‘Can I have a copy of the notes from my last appraisal?’; ‘What information do you hold on me?’; and, ‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning’?”;
- “Can we clarify the request?
Yes. You could ask the worker to specify the information or processing activities they’re looking for before responding to the request. The time limit for responding to the request is paused until you receive clarification. However, you should only seek clarification if: it is genuinely required in order to respond to a SAR; and, you process a large amount of information about the worker”;
- “When can we withhold information?
Under the UK GDPR, there are exemptions from the right of access that allow you to withhold some, or all, of the information requested. It is important to note that you must apply exemptions on a case-by-case basis and you must justify and document your reasons for relying on them”;
“Information about other people
Personal information can cover more than one person. Therefore, responding to a SAR may involve providing information that is about both the requester and someone else. The DPA 2018 says you do not have to comply with a SAR if doing so means disclosing information which identifies someone else, except where: they consent to the disclosure; or, it is reasonable to comply with the request without that person’s consent.
To determine whether it is reasonable to comply without consent, you must consider all the relevant circumstances, including: the type of information that you would disclose; any duty of confidentiality you owe to the other person/people; any steps you took to try to get the other person’s consent; whether the other person is capable of giving consent; and, any stated refusal of consent by the other person”;
Documents that may include information about other people include:
Witness statements, used for internal disciplinary or investigative issues in the workplace, usually include the personal information of more than one person. You must consider if you can disclose them. You do not have to comply with the request if it would mean disclosing information about another person, except if they consent to the disclosure or it is reasonable to comply without their consent.
To decide if it is reasonable to disclose the information, you must consider: the reasonable expectations of the other person and, in particular, any duty of confidentiality you owe to them; any express refusal of consent by the other person and whether they are capable of giving consent; the type of information that you would disclose; and, in a work context, factors such as a person’s seniority and role. In general, it is more likely to be reasonable to disclose information about an employee acting in a professional capacity than a private citizen”;
Whistleblowing is when a worker passes on information about wrongdoing they have witnessed or experienced usually, but not always, at work. Disclosure of the alleged wrongdoing must be in the public interest. This means it must affect others, for example the general public. A whistle blower’s report is likely to include information about those suspected of wrongdoing, as well as that of the informants or other third parties, such as witnesses. In this instance, you must balance the requester’s right of access against the whistle blower’s rights.
It’s important to note that whistle blowers are protected by the Public Interest Disclosure Act 1998 (PIDA 1998). You must consider this alongside data protection legislation. You must consider the rights of: the requester, under the UK GDPR; the whistle blower as a third party under the UK GDPR; and, the whistle blower under the PIDA 1998 – the right to make a protected disclosure”;
You may receive a SAR from a worker for references. These could cover references that you either provided to other organisations or that you received at the start of their employment.
However, under UK GDPR, confidential references are exempt, when provided for the purposes of: education, training, or employment of someone; someone working as a volunteer; appointing someone to office; or, provision of any service by someone. The exemption applies regardless of whether you give or receive the reference.
It is important to note that this only applies to references that you give in confidence. You should make it clear to workers and those providing references whether you treat them as confidential. You should do this in your privacy statement, staff handbook or policies.
However, if it is unclear whether you are treating references as confidential, you should consider requests on a case-by-case basis, taking into account the following: any clearly-stated assurance of confidentiality that you give to the referee; any reasons the referee may give for withholding consent; the likely impact of the reference on the requester; any risk that disclosure may pose to the referee; and, the requester’s interest in being able to satisfy the accuracy and truthfulness of the reference”;
“Legal professional privilege
Legal professional privilege (LPP) protects certain confidential communications between lawyers and clients. LPP is only available for communications that are: confidential in nature; unless you are considering litigation, just made between a client and a legal adviser acting in a professional capacity; and, made for the dominant purpose of obtaining or providing legal advice or being used by lawyers in possible or probable litigation”;
“Crime and taxation
There are two parts to this exemption. The first part applies if you process personal information for the purposes of: the prevention or detection of crime; the apprehension or prosecution of offenders; or the assessment or collection of a tax or duty or an imposition of a similar nature. It exempts you from the UK GDPR’s provisions on: […] the right of access (which covers making a SAR); [and several other parts of UK GDPR too]”.
But the exemption only applies if complying with a SAR would be likely to prejudice your crime and taxation purpose, as above”;
An exemption applies to personal information that you process for management forecasting or planning about a business or other activity. You could refuse to provide this information if disclosure is likely to prejudice the conduct of the business or activity. You do not have to acknowledge that you hold this information. If you confirm or deny you hold the information, it may prejudice business conduct and cause potential issues with your staff”;
“Negotiations with the requester
Personal information that is included in a record of your intentions in negotiations with one of your workers is exempt from the right of access. This only applies if complying with the SAR could prejudice the negotiation. However, this is only likely to apply whilst the negotiations are ongoing. If you receive another request after ending the negotiations, it may be difficult for you to apply this exemption. However, you must demonstrate how using the exemption would prejudice the negotiations”;
A request may be manifestly unfounded if: the worker clearly has no intention to exercise their right of access; or, the request is malicious in intent and is being used to harass your organisation with no real purpose other than to cause disruption. For example if the person explicitly states in the request itself or in other communications, that they intend to cause disruption”;
To determine whether a request is manifestly excessive, you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request;
This means taking into account all the circumstances of the request, including: the nature of the requested information; the context of the request, and the relationship between you and the requester; whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to someone; your available resources […];
A request is not necessarily excessive just because someone requests a large amount of information. […] you should consider all the circumstances of the request. You could also consider asking them for more information to help you locate the information they want and whether you can make reasonable searches for the information”;
- “Do we have to advise the requester if we are withholding information
This depends on the circumstances of each case. In some circumstances, it may not be appropriate to tell the requester that you are withholding personal information. For example, if this would prejudice the purpose of the exemption. Wherever possible, you must be as transparent as possible. Example: You receive a SAR from a worker requesting all their personal information. You are investigating the worker for alleged fraud and decide to withhold all the information about the investigation under the crime and taxation exemption. In this instance, it would not be appropriate to inform the worker as it would be likely to prejudice the investigation as the worker may destroy evidence. You supply the worker with most of their personal information but withhold the information about the investigation”;
- “Do we have to comply with a SAR if the worker has signed a non-disclosure or settlement agreement?
Yes. People have the right to obtain a copy of their personal information from you. This right cannot be overridden by a settlement or non-disclosure agreement. If a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights;”
- “Do you need to comply with a SAR if the worker is going through a tribunal or grievance process?
Yes. People have the right to obtain a copy of their personal information from you. You cannot simply refuse to comply because the worker is undergoing a grievance or tribunal process, and you believe they intend to use their personal information to obtain information for potential litigation. If you believe it isn’t appropriate to disclose the relevant information, you must demonstrate what exemption you are using and why.
It is important to note that whilst there may be separate rules for disclosing information in the course of a tribunal, you must comply with a SAR. This applies even if there may be some cross-over in the information supplied.
However, even if you have already disclosed the information through another statutory process, such as in employment tribunal proceedings, this does not mean you can refuse to comply with a SAR. […]”;
- “Do we need to disclose any non work-related personal information?
Organisations should have policies and procedures in place so that workers are aware of what they can and can’t do on the IT system. For example, a reasonable use or a personal use policy.
Example: A former worker submits a SAR for all their personal information. The worker requests emails they believe were exchanged between colleagues using their personal email accounts. Although the colleagues accessed their personal email accounts via work laptops, you do not consider the company to be the controller of the information. You also consider the information to have been processed for personal and household use and decide not to disclose it”;
- “Do we have to disclose emails that the worker is copied into?
The right of access only entitles the worker to obtain a copy of their personal information from your organisation. You must consider what information in the email is the personal information of the requester. It also depends on the contents of the email and the context of the information it contains.
[…] it is important to remember: the right of access only applies to the requester’s personal information contained in the email. This means you may need to disclose some or all of the email to comply with the SAR; just because the contents of the email are about a business matter, this does not mean that it is not the requester’s personal information. This depends on the content of the email and whether it is about the requester; and just because the requester receives the email, this does not mean that the whole content of the email is their personal information. […] the context of the information is key to deciding this. However, their name and e-mail address are their personal information, and you must disclose this information to them;”
- “Do we have to include searches across social media?
Yes. If your company uses social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams for business purposes, then you are the controller for the information processed on those pages. The UK GDPR applies to any social media activity carried out in a commercial or professional context. If you receive a SAR, you must search these platforms for any personal information if it falls within scope. You should also consider social media posts supplied to you by others as potentially in scope. For example, if a worker submits a copy of posts made by a colleague criticising their manager in a WhatsApp group;”
- “We’ve had a request for CCTV footage, but it contains images of other people. Do we have to disclose it?
Yes. Workers who submit requests for footage that contains their personal information have a right to receive that information under data protection legislation. When installing CCTV, you should make sure you choose a system that allows you to easily locate and extract personal information in response to subject access requests. You should also ensure it allows for the redaction of third-party information, where this is necessary. If your CCTV system has this functionality, it will likely enable you to comply with your data protection obligations.
However, if your CCTV system does not have this functionality, you still need endeavour to comply with your obligations. However, you should only disclose the footage if you have the other people’s consent to do so, or if it’s reasonable to do so without their consent.”
What are the takeaways?
Organisations should consider reviewing their SAR procedures and processes in light of the ICO FAQs.
By way of general SARs compliance issues organisations should consider:
- Checking their existing SARs policy and procedure to make sure that they are up to scratch. This includes making sure that it is clear what information has to be provided, and whether the exemptions are covered;
- Ensuring that they have systems in place that can locate personal data when a SAR is made, especially from an IT perspective – also bear in mind that most hard copy data will also need to be included;
- Looking at document creation and retention and asking: do we need all of the data we keep?;
- Always making a note of when a SAR was received and when the time limit will end;
- Regularly reviewing the appropriateness of large amounts of HR data – this should minimise risk to some extent (the less personal data there is the less there will be to review etc.);
- From the moment a SAR is received, not altering etc. personal data to prevent its disclosure to the individual – under the UK DPA 2018 such behaviour constitutes a criminal offence; and,
- Training staff on spotting and handling SARs.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
See our other articles about Subject Access Requests including here https://www.corderycompliance.com/eu-gdpr-sar-0223/, here https://www.corderycompliance.com/ico-sar-uk1/, here https://www.corderycompliance.com/sars-under-gdpr/, here https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, and here https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/.
The full ICO “SARs Q&A for Employers” can be found here https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employers/sars-qa-for-employers/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|