Posted: 31/05/2023
On 24 May 2023, the Information Commissioner’s Office (ICO) released new guidelines, targeted at employers, to help organisations comply with their duties under data protection legislation in respect of data subject access requests (DSARs).
By way of a quick update, under the UK General Data Protection Regulation (UK GDPR), individuals have the right to request copies of their own personal information if it is being held (‘processed’) for non-personal purposes. This applies to almost all organisations: employers, schools, universities, private sector companies, public sector organisations… and even individuals, if they are not using the information for personal reasons (Christmas card lists are safe… video doorbells may be more complicated!).
If you receive a valid DSAR, you should normally respond within one month, although this can be extended by up to two months in the case of ‘complex’ requests. Therefore, there is a time pressure to respond, and the ICO has taken action where organisations are repeatedly missing the deadlines.
If you would like to learn more about DSARs you can access our podcast series, which provides an accessible introduction to DSARs from receipt to disclosure.
The ICO’s new guidelines are structured in a Q&A format and seek to answer some of the commonly asked questions that employers have. Whilst they do not amend the existing detailed guidance, they do help draw attention to a number of key points. Some of these clarifications are set out below:
The full guidance can be accessed here.
The ICO explains that its decision to release this further guidance, specifically targeted at employers, was prompted by the significant number of complaints it received in relation to the handling of DSARs. Over the course of the last year, the ICO received more than 15,000 complaints and took enforcement action against both public and private sector companies.
Elanor McCombe of the ICO commented:
“The right of individuals to access information that organisations hold on them is one that is vital for transparency, and is enshrined in law.
“What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.
“It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.
“For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”
As a firm, we understand the administrative and financial burden of large and complicated DSARs and have experience of guiding clients through the process. In order to do this, we have developed a product with Lighthouse which uses analytics to help manage large and complicated DSARs proportionately. If you are interested in this, you can access more information here.