The right of access and the GDPR

Individuals have had the right to request their personal information from organisations for many years and this right pre-dates the General Data Protection Regulation and the UK General Data Protection Regulation (UK GDPR).

Under the UK GDPR, individuals have a right to find out whether an organisation is processing information about them. If that is the case, the right of access, commonly referred to as a subject access request, gives individuals the right to obtain a copy of their personal information from the organisation. This includes not only providing a copy of their personal data, but also details about where employers got their information from, what they are using it for and who they are sharing it with.

Employers must respond to a Subject Access Request (SAR(s)) from a worker without delay and within one month of receipt of the request. However, employers can extend the response time limit by up to two months if the SAR is complex. A failure to respond to SARs is a breach of data protection law and can lead to the Information Commissioner's Office (ICO) issuing fines or reprimands.

New guidance from the ICO

The ICO received over 15,000 complaints relating to SARs between April 2022 and March 2023 and took action in a number of cases. This included reprimands issued to seven organisations, across the public and the private sector, for failure to respond to SARs in accordance with the legal deadlines.

Perhaps to address this high volume of complaints, on 24 May 2023, the ICO published new guidance to support businesses and employers in responding to SARs in a proper and timely manner.

The guidance is in a Q&A format, and highlights some of the common misunderstandings employers have when dealing with SARs. Employers need to consider the new guidance alongside the ICO's original right of access guidance. We consider that the new guidance has helpfully clarified some common misconceptions, and included some helpful case examples, concerning SARs but it does not materially change the approach organisations should take to responding to the SARs they receive. That said, hopefully the guidance will assist organisations to produce better SARs responses and will lower the number of complaints made by individuals to the ICO.

Key topics from the ICO's new guidance

The table below highlights some of the key points from the guidance but please refer to the full guidance for additional detail.

Topic What the guidance says
The format a SAR needs to take SARs can be submitted informally and do not have to be in a certain format to be enforceable. Workers can make requests verbally or in writing, including via social media. The request does not need to mention the right of access or the UK GDPR, it just needs to be a request for an individual's own personal information. Your staff therefore need to be aware of how to recognise a SAR and what to do if they receive one.
Exemptions from the right of access

On some occasions, exemptions under the UK GDPR from the right of access may apply and employers can withhold some or all the information requested by an employee (eg if the data cover more than one data subject, management information, etc). However, employers must apply exemptions on a case-by-case basis and must justify and document the reasons for relying on them. Employers can also refuse to comply with a SAR if it is manifestly unfounded or excessive and the new guidance gives examples of how to make this assessment.

Both the new guidance and the ICO's original right of access guidance state that a request is not necessarily excessive just because the individual requests a large amount of information. Employers must therefore consider all the circumstances of the request.

Parallel SAR and grievance or tribunal process

Employers need to comply with a SAR even if the worker is undergoing a grievance or tribunal process and employers have already disclosed the information through another process such as disclosure. If employers believe it is not appropriate to disclose the relevant information, they must demonstrate which exemption is relied upon and why.

It appears from this guidance that the ICO is not moving in the direction of the European Courts whereby it was determined in 2022 that using a SAR for the purposes of litigation disclosure could be an abuse of process and manifestly excessive (for more on this topic you can refer to our article: Part 2: European change in direction for access to personal data?).

Information contained in emails

The right of access applies to emails the worker is copied into which contain personal information about the worker. Employers must assess the emails' content and consider what information in the email is the personal information of the worker making the SAR.

The guidance contains a useful example in which rather than providing all of the emails in which the same personal data is held (i.e name and email address) the employer could provide a summary of this information. 

Use of personal communications Consideration needs to be given as to whether workers' personal communication methods (such as personal emails, WhatsApp, social media) are within the control of the company and, if so, need to be included.
Searches on social media platforms The right of access is very broad, and the UK GDPR places a high expectation on employers to provide information in response to a SAR. This includes making searches on social media platforms used by the organisation for any personal information that falls within the SAR's scope.
Transparency when withholding information Where a decision is made not to provide data in response to a SAR (for example, on the basis that it would be not be a reasonable and proportionate search to include emails to / from the data subject, or due to protecting third parties) then wherever possible the employer must be as transparent as possible.
Settlement Agreement Even if a settlement agreement has been signed, this cannot override the right of access. Typically, settlement agreements will include a provision that the associated SAR will be withdrawn (if applicable) but this does not prevent a data subject from making a new SAR.

What can an employee do if they are unhappy with the employer's response?

A worker should first raise their concern with their employer, who should try to resolve it with the worker. If it is not possible to find a resolution, the worker can then raise a concern with the ICO.

Why can SARs be particularly tricky for employers and does the new guidance help with this?

SARs can be particularly problematic for employers to respond to since they can involve high volumes of data, require the removal of third party data and relate to contentious circumstances.

Workers will often raise a SAR in the context of a grievance, dismissal or tribunal process. This can be challenging for employers who need to respond to a SAR where the worker's grievance involves allegations concerning colleagues. The fact that the ICO has issued this new guidance perhaps emphasises this complexity.

Employers need to carefully navigate a path between responding to the SAR and considering whether to disclose information which identifies another individual. It is a delicate balancing act, as the employer has to consider both the rights of the individual making the SAR and the rights of other individuals in respect of their personal data. Issues often arise in this context as it may not be appropriate to seek the consent of a third party since this would make them aware that a SAR has been raised.

The new guidance gives the example of witness statements, used for internal disciplinary or investigative issues in the workplace, which will more often than not contain information that identifies other individuals. The guidance considers whether it is possible to disclose witness statements when responding to a SAR and runs through the factors the employer must take into account before deciding to disclose witness statements. Lastly, the guidance has a running theme that organisations should seek to prepare for SARs in advance of their receipt. Organisations can prepare by making sure they have appropriate policies and procedures in place and reviewing the issues raised in the new guidance.

The ICO's original right of access guidance also addresses the issue of responding to a SAR, where third party data is involved, in detail.

WBD Clarity

WBD Clarity is a targeted solution for responding to SARs, allowing you as an organisation to reduce the volume of personal data, streamline the review process and undertake SARs in a manner compliant with the ICO guidance. For example, Clarity enables you to:

  • Record decisions at either a category or document level as to why documents are being provided or withheld. For example, keeping an audit of the documents withheld on the basis of protecting third party personal data
  • Quickly identify categories of documents which may not contain the personal data of the data subject (such as documents relating to a different employee, but with a similar name) reducing the review time and costs
  • Collate documents which contain duplicate personal data (i.e. the email address of the data subject) so that these documents can be summarised rather than undertaking the task of redacting the third party data from each email
  • Provide analytical justification for a particular search requested by the data subject not being reasonable. For example, automatically identifying all emails to / from the data subject or responsive to a particular search term which dependant on volume may not be reasonable to review. 

To see the benefits of the platform or to discuss how WBD Clarity could help support your business, please contact us

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.