12 lessons from the ICO’s new subject access requests Q&A for employers
Insight
On 24 May 2023, one day before the GDPR’s birthday, the ICO released some new guidance on subject access requests (SARs) which is specifically aimed at employers. This guidance deals with SARs made by current or former members of staff, including the “litigious” context where an individual requests copies of their personal data to help them establish the facts of a dispute or even as evidence for a live Tribunal case. Given how difficult and time-consuming these SARs can be for employers, and acknowledging that repeated non-compliance with SARs (including missing statutory deadlines) is an increasing focus for the ICO’s enforcement division, this is welcomed guidance for UK based data controllers. The new guidance is in a question and answer (Q&A) format, refers to the relevant parts of the ICO’s detailed subject access guidance, and includes a number of helpful examples of what employers “must” (reflecting legal requirements) and “should” (reflecting ICO recommendations for best practice) do when responding to SARs from employees.
Some highlights from the SARs Q&A for employers, and some reflections from our own experience advising employers on how best to deal with employee SARs, are as follows:
1. Recognising and clarifying requests
A data subject access request can be made in a very informal way, from the specific “can I have a copy of the notes from my last appraisal?” to the much more general “what information do you hold on me?” This emphasises the importance of regular staff training on data protection matters so that SARs can be recognised and dealt with efficiently. It is quite acceptable to ask a worker to clarify the scope of their SAR, particularly if that is necessary to interpret the request in good faith and particularly where the organisation holds a large amount of information about the worker. In our experience, the “reasonable” requester will usually clarify their request in some way when prompted – but it is the individual’s right to refuse to do this and instead to ask for copies of all their personal data, which leaves the organisation with decisions to make about what constitutes a reasonable and proportionate search for the individual’s personal information based on their original request.
2. Withholding other people’s personal data
The new guidance sets out quite clearly the Data Protection Act (DPA) exemption for protecting the rights of others (sometimes referred to as the “mixed personal data” exemption). The data controller / employer has a wide discretion to determine whether it is reasonable in all the circumstances to withhold or disclose third parties’ personal data that is “mixed in” with the requester’s information. The ICO gives a common-sense example of salary review information which compares multiple employees and their proposed salaries; in that case the employer would normally disclose the requester’s own pay review data but would almost certainly withhold comparison data relating to others.
3. Witness statements
Another relatively common application of the “mixed personal data” exemption in the context of an employee making a SAR is where the individual requests copies of witness statements relating to internal disciplinary issues or workplace investigations. Again, the employer has a wide discretion here but must consider all the circumstances, including eg the reasonable expectations of the interviewees / witnesses when they agreed to be interviewed by the HR department, whether they were asked to consent to the disclosure of their identity / their personal data to the requester, and any express refusal of that consent, etc. The ICO also acknowledges that a person’s seniority and role is relevant: this is consistent with some much older ICO guidance which acknowledges that it is usually more reasonable to disclose certain information of senior staff than it is to disclose the identity or personal information of juniors. The example scenario in the new guidance assumes that witnesses to inappropriate behaviour in the workplace had been assured of confidentiality by the HR team at the time they agreed to be interviewed or give a witness statement – which could lead to a lawful and legitimate conclusion by the employer that it will not disclose those witness statements in response to a SAR. However, the employer should also consider the nature of the witnesses’ personal data which would be disclosed in their witness statements, and whether it is possible to redact them without disclosing the identity of their authors.
4. Whistleblowing reports
It is also possible to withhold whistleblowing related information from disclosure to the individual making a SAR, provided that the whistleblower has made a protected disclosure which is genuinely in the public interest, in accordance with the Public Interest Disclosure Act. The ICO’s case study highlights how a bank could legitimately decide not to disclose a whistleblowing report in response to a SAR, relying on the “mixed personal data” exemption and potentially too the “crime and taxation” exemption under the DPA.
5. Confidential references
What used to be quite a complicated exemption for confidential references (depending on who was giving and who was receiving them, etc) was made simpler by the GDPR and the DPA. The general position now is that, provided that a reference is given in confidence (which should be made clear in privacy notices, a staff handbook, etc), the employer can rely on the DPA exemption to withhold a confidential reference rather than disclose it to the personal to whom it relates if they make a SAR asking for copies of references. However, not all references are confidential, and to qualify for the exemption, a reference must be provided for the purpose of assessing a person’s suitability for education, training, employment, volunteering, appointment to an office, or provision of a service.
6. Management information and negotiations exemptions
The new Q&As include an example of what the “management information” exemption looks like in practice, which is taken from the detailed ICO guidance on subject access requests. The example scenario involves a business restructuring which will likely make some redundancies; members of staff start asking whether they are in the selection pool for redundancy but the employer decides to withhold this information from the employees, since it could “prejudice the conduct of the business and cause staff unrest”. A different but sometimes related exemption can be applied where disclosing personal data is likely to prejudice negotiations with the person making the SAR. The new guidance uses the example of ongoing negotiations of a severance package – but the ICO notes that this exemption will likely not apply once the negotiations have concluded, meaning that a later request from the individual for their personal data once the severance package has been agreed might require the employer to provide more of the individual’s data.
7. Manifestly unfounded or excessive requests
Reflecting the ICO’s detailed guidance on SARs, the new Q&As give an example of a “manifestly unfounded” request where the individual says they will withdraw their SAR in return for payment. Expanding on the meaning of an “excessive” request, the guidance gives an interesting example of a small business (with just four members of staff) receiving a SAR which could involve reviewing 3,000 emails. The hypothetical business contacts the ICO which recommends: (a) “requesting clarification from the worker to narrow down the search”; (b) “reviewing the emails for those which only contain the name, email address and signature” of the requester; and (c) “considering whether you can supply this information in a summary, for example ‘1000 emails contain only your name, email address, and signature’.” This sounds like very pragmatic advice for small businesses facing SARs with a wide scope – but we would urge some caution given that the ICO’s example has picked a “micro business” because we know from case law that the “reasonableness” and “proportionality” of the searches to locate personal data (as well as the other efforts required to review, redact and disclose relevant information in response to a SAR) are a function of the data controller’s size and resources. As such, a very simple summary of information may not be a viable option for larger organisations – but this certainly offers hope to smaller businesses.
8. Non-disclosure and settlement agreements
The ICO is unequivocal that the subject access right is an important right for individuals which “cannot be overridden by a settlement or non-disclosure agreement”. Indeed, the ICO goes as far as to say: “If a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights.”
9. Grievance processes and Tribunal proceedings
The new guidance is also clear that “You cannot simply refuse to comply because the worker is undergoing a grievance or tribunal process, and you believe they intend to use their personal information to obtain information for potential litigation”. In other words, the employer must disregard the employee’s possible motive in making their SAR (even if it seems clear that the individual is effectively trying to achieve early disclosure of information that would later be provided pursuant to the litigation process and indeed “even if there may be some cross-over in the information supplied”). The ICO offers no shortcuts here: each process must be followed separately and diligently, having regard to DPA exemptions on the one hand (in order to disclose relevant personal data) and the procedural rules of the Tribunal on the other (in order to disclose relevant documents).
10. Emails the requester has already seen
In our experience, a majority of the time spent responding to a subject access request from an employee is often spent reviewing and redacting email chains. The ICO’s Q&As for employers only emphasises how difficult this can be, saying that employers have to remember: (a) an individual only has a right to receive their own personal information within an email or email chain; however (b) “just because the contents of the email are about a business matter, this does not mean that it is not the requester’s personal information”; and (c) “just because the requester receives the email, this does not mean that the whole content of the email is their personal information”. The example scenario does not directly answer the question in the Q&A heading, namely “Do we have to disclose emails that the worker is copied into?” but the guidance does emphasise that emails containing the requesters’ personal data need to be reviewed on a case-by-case basis, taking account of the contents of the email and the context of the information it contains. As such, the ICO seems to suggest that it is inappropriate for an employer to apply a “blanket” policy of disclosing or withholding all emails that the data subject has been copied in to or otherwise received previously.
11. Information from personal email accounts, social media etc
Echoing the detailed SAR guidance, the Q&As say that “organisations should have policies and procedures in place so that workers are aware of what they can and can’t do on the [organisation’s] IT system”, eg IT acceptable use policies concerning the use of personal email accounts, social media accounts, etc for business purposes or for the organisation’s official communications. The key question is whether your organisation is in fact the data controller of the information processed using those personal accounts, social media pages, etc. Where the organisation itself operates a social media account for the organisation’s own purposes, that will be in-scope of a SAR – but a well-drafted IT use policy will usually make clear that the organisation is not the data controller of employees’ personal email or social media accounts and has no control over the information on their personal devices.
12. CCTV footage
Finally, the new guidance reminds employers that CCTV footage can contain personal data relating to members of staff, and as such it may be necessary to search CCTV recordings when responding to a SAR. In our experience, this is only necessary where the individual specifically requests CCTV footage as part of their SAR, and in our view it is usually reasonable to ask the individual to clarify dates and times of the footage they are seeking. This is because it can be particularly laborious to locate and extract the individual’s personal data from still photographs or video footage (potentially including audio too) while redacting third parties’ images (which is usually necessary unless the third parties have consented to disclose their image captured via CCTV or if it is reasonable to disclose that data without their consent).
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2023