The Information Commissioner’s Office (ICO) has published a new subject access request Q&A for employers. It contains useful and practical guidance for employers, particularly in relation to withholding certain categories of data.
According to the ICO, there are two main issues arising: employers are not recognising and acting upon subject access requests (SARs); and/or they are not acting quickly enough or responding within the strict (and relatively short) statutory time frame of one month. This has led to more than 15,000 complaints to the ICO in a one-year period ending in March 2023.
How to recognise a SAR
A SAR gives an individual a means of obtaining a copy of their personal information from the organisation. This includes from where the information originated, with whom it is being shared and otherwise what the organisation is doing with it.
The legislation does not require a SAR to be in any particular format. SARs can be made verbally or in writing, including by social media, and can be directed to anyone in the organisation. Examples of requests include: “Please send me my HR file” and “What information do you hold on me?”. The guidance confirms that employers can clarify requests and that the time limit for responding is paused until a response is received, but that should only be used where really necessary and not simply as a delaying tactic.
When can information be withheld?
Data protection legislation contains specific exemptions that allow employers to withhold disclosure of certain information when responding to a SAR. This issue can give rise to much deliberation by employers about what to disclose and what to withhold. The guidance reminds employers that any exemptions must be applied on a case-by-case basis and the reasons for relying on an exemption must be justified and documented. The guidance contains useful pointers in relation to all the main exemption categories.
One issue that often arises is where personal information about one employee also contains personal information about others. An example would be witness statements taken during the course of disciplinary or grievance proceedings, or whistleblowing reports. The guidance states that consideration should be given to whether witnesses have requested to remain anonymous and whether appropriate redaction could be made to the statement to allow for partial disclosure.
Another situation which can cause confusion with respect to SARs is what to do with emails where the employee requesting their information is only copied in. The Q&A confirms that it may not be possible to withhold the whole message as confidential. The context of the email must be considered in each case. Aligned with current practice and its approach towards references, the ICO recommends appropriate redaction of emails can take place.
Equally, employers are often unsure whether to provide references in response to a SAR because of a specific exemption in the legislation covering confidential references. In order to be covered by the exemption, it should be clear in an employer’s privacy notice, staff handbook or policies what information is considered confidential or, in the absence of such express provisions, consideration should be given to whether clear assurances of confidentiality have been given to the referee and to the risk of disclosure.
What type of information should be provided?
The ICO also confirms that searches for personal information should be carried out across social media platforms (whether company FaceBook, WhatsApp, Twitter and Microsoft Teams). The legislation applies to any social media activity carried out in a commercial or professional context.
What about CCTV footage? This can be tricky because inevitably CCTV footage will pick up images of other people. If your systems do not have the functionality to redact third party images, footage showing third parties should only be disclosed with their consent or if it is reasonable to do so without it.
The new ICO Q&A aims to support employers in responding to SARs in a proper and timely manner to avoid fines or reprimands from the ICO for failures to comply. It is a helpful and easy reference guide for any employers responding to SARs. Employers should assume that any requests for personal information from employees are likely to be a SAR and appropriate steps should be taken to respond within one month.