Subject Access Requests (SARs) are commonly received by companies from current and former employees, particularly as part of a grievance, disciplinary or employment tribunal process. We have been involved in a number of cases recently involving an SAR and have seen first-hand some of the issues in relation to interpreting ICO guidance and having the resources in place to meet the demands of GDPR.
In December 2019, the ICO issued an update to its draft guidance on the right of ‘subjects’ making access requests under GDPR, but there are still no hard and fast rules for HR departments to rely on. The guidance reiterates the need for each request to be dealt with individually.
What is a Subject Access Request?
Just by way of a quick reminder, under GDPR data subjects have the right to obtain information from data controllers on a number of grounds, including about whether and how their personal data is being processed. The data subject has the right to be provided with a copy of certain relevant information. The data controller must also provide details indicating the purpose for which the personal data is being held and whether it is shared with third parties.
Timescale for responding
One of the challenges for businesses is the timescale set out by the ICO (one month) for responding to a request. At some point during the second half of last year, the ICO quietly updated its draft guidance to clarify that the clock starts ticking as soon as the application is made by the data subject, even if the company asks more information to help it fulfil the request.
The latest guidance states:
“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests.
You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them. If an individual refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.”
How the request is made
Many companies prefer requests to be made by completing a standard form. However, a December update to the guidance makes it clear that requests via social media or by telephone must be dealt with in the same way and that filling in a standard form is not obligatory.
What constitutes a ‘complex’ request?
The one month deadline can be extended to up to three months for complex and multiple requests, but what defines “a complex request”, is not clear. The ICO has clarified that a request is not considered complex simply because it involves a large amount of information. Some factors that might add to complexity could be where information has been electronically archived or if specialist work is required, such as redaction of sensitive material.
Subjects who make bulk requests
There have been quite a number of instances where former employees or current staff have made a huge volume of requests under GDPR. Whilst organisations are expected to be able to handle high volumes of requests, the ICO has clarified that the volume of requests received will be taken into account if a complaint is raised about a delayed SAR. Organisations should do everything they can to process bulk requests effectively and if they can show that efforts were made to do so, the ICO seems to indicate that this will be taken into account.
We expect ongoing updates and clarification as the GDPR guidance is put into practice. However, all employers need to be able to manage their data securely and efficiently and have the resources and systems in place to respond to SARs.