Wonderful service from start to finish.
ICO Update - Important information for employers regarding Data Subject Access Requests
- AuthorEmployment Team
The Information Commissioner Office (ICO) has recently released updated guidance for businesses on how to handle a data subject access request (DSAR). Our Employment Law team here outline some of the main points employers should be aware of and discusses what actions employers should take if they receive a DSAR.
What is a Data Subject Access Request?
Article 15 of the General Data Protection Regulation (GDPR) gives individuals the right to access and receive a copy of any personal data an organisation holds on them. If a current or former employee makes a DSAR you have a limited time to conduct a reasonable search of the information you process and present the employee with all the personal data you hold on them.
Many employers regard DSARs as an unwelcome burden as they can be costly and time consuming, however they should be given the appropriate attention with the process followed strictly to avoid any further complications or grievances. Employees may also make a DSAR to obtain early disclosure when engaged in litigation with their employer.
Clarification on DSAR time limits
Generally you should respond to a DSAR within one month of receiving it. This may be extended to three months where the request is particularly complex. Whether a request is sufficiently complex to qualify for this extension will depend on its particular circumstances, and as an employer you should consider:
- any technical issues in retrieving the data;
- the need to consult with a legal adviser;
- specialist work required in obtaining and presenting the information.
The volume of information may contribute to the overall complexity of the request, but a request will not be considered complex solely because it involves large volumes of information.
You can request clarification from the data subject in order to narrow the scope of the DSAR. The ICO guidance states that when a request for clarification is made the clock is “stopped” until you receive the data subject’s response. You should only request clarification where it is “genuinely required” and where “you process a large amount of information about the individual.” What is considered a large amount of information will depend on factors such as the size and resources of your organisation.
You should keep an accurate timeline detailing when the DSAR was received, when clarification was sought, and when a response was received. This will help ensure you respond to the DSAR within the required time. It may also be a good idea to continue to conduct a reasonable search for the employee’s data while waiting for their response. This way you can take advantage of any extra time afforded by “stopping the clock.” You can always refine your search after you receive the response from the data subject.
When you may refuse to respond to a DSAR
You may refuse to respond to a DSAR if the request is “manifestly unfounded or manifestly excessive.” A DSAR may be manifestly unfounded if:
- “the individual clearly has no intention to exercise their right of access” or
- the request is “malicious”.
A DSAR will be manifestly excessive if it is “clearly or obviously unreasonable.” This involves taking all the relevant circumstances into account and weighing the proportionality of the request against the burden of dealing with it. Factors you may consider include:
- the nature or sensitivity of the information;
- the context and your relationship to the data subject;
- your resources;
- whether the request is repetitive and a reasonable interval has not yet passed.
Each case will need to be assessed on its own facts. If you do decide to refuse a request, the reasons should be explained to the data subject.
Charging fees for responding to a DSAR
Another option for employers who receive a manifestly unfounded or excessive DSAR is to charge a fee. You can charge a fee for costs related to completing the DSAR including:
- staff time;
- equipment such as CDs or USBs.
Any fees you charge should be applied in a “reasonable, proportionate and consistent manner” and explained to the data subject.
While receiving a DSAR may be annoying and stressful for employers, the new guidance should help clarify the various options that are available to you. If you have received a DSAR from an employee, former employee or a potential employee and you are uncertain about the route to take, you can contact a member of the Employment Law team today on 023 8071 7717 or email email@example.com.
To receive regular Employment Law updates from the team regarding recent tribunal cases and legislation updates, you can subscribe to our weekly Employment Law Newsletter by completing our subscription form or emailing us at firstname.lastname@example.org.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.