ICO publishes new guidance on responding to subject access requests

The right of subject access has long been regarded as critical in ensuring that organisations that collect and use individuals' personal information comply with the principle of lawfulness, fairness and transparency in their processing of such data.  However, the issue of how to respond to subject access requests (SARs) in practice is not always well understood.

On 24 May 2023, the UK Information Commissioner (ICO) published new guidance for organisations on responding to SARs.  The new guidance is intended to assist employers in responding to SARs appropriately and within applicable time limits and to make sure that employees are able to obtain access to their personal data when they wish to do so.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), individuals have the right to obtain from data controllers confirmation as to whether or not personal data about them is being processed and, if it is, to access and receive a copy of such personal data, together with certain other information.  Such information includes: 

• the purposes of the processing;
• the types of personal data concerned;
• the recipients or types of recipients with whom the personal data has been or will be shared;
• if possible, the expected time period that the personal data will be stored for (or how that time period will be decided);
• the fact that the relevant individual has a right to ask the controller to correct or delete such personal data, restrict the processing of such personal data, or object to the processing of such personal data in certain circumstances;
• the individual's right to complain to a supervisory authority;
• any available information about where the personal data was obtained from if such data is not collected from the individual; 
• the existence of any automated decision-making, including profiling, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the individual; and
• if the personal data is transferred internationally, details of the safeguards implemented to protect the transferred data.

Individuals can ask for copies of personal information held about them by organisations that are processing their personal data, including their employers, and organisations are obliged to respond to such requests within one month of receiving them (although this can be extended by up to two months in some cases).  

Organisations do not always respond appropriately to SARs that they receive, with the ICO reporting that between April 2022 and March 2023 it received 15,848 complaints in connection with such requests.  Failure to respond to SARs is an offence and can result in enforcement action, such as reprimands or monetary penalties.  Recent examples of enforcement action for failure to respond to information access requests include the ICO's reprimands in respect of Plymouth City Council and Norfolk City Council

Eleanor McCombe, Policy Group Manager at the ICO, noted that many employers misunderstand SARs and the importance of addressing them, observing that, for example, many employers do not know that SARs do not have to include the words "subject access request" to be legally binding and that SARs can also be submitted informally, such as over social media.

The new guidance clarifies a number of issues including, among others:

• what constitutes the right of access;
• time limits for responding to SARs; 
• the format of SARs;
• when requests can be clarified; 
• when personal information can be withheld; 
• compliance in the context of non-disclosure or settlement agreements; 
• compliance in the context of tribunals and grievance processes; 
• disclosure of non work-related personal information;
• disclosure of emails the data subject is copied into; 
• searches across social media; and 
• requests for CCTV footage.

Historically, SARs have often been regarded as being challenging and time consuming for organisations to address, so the new guidance will likely be welcomed by employers and should provide clarity on a number of issues.  Hopefully, facilitating compliance with applicable data protection obligations around subject access should ultimately benefit both employers and employees alike.