Last year the ICO published a Q&A formatted guidance to support businesses and employers in responding to DSARs. It hopefully clarified common issues and includes case examples to assist employers when considering how best to respond to the DSARs they receive. Employers are advised to consider the guidance alongside the right of access guidance.
It is hoped that the guidance will assist organisations to produce better DSARs responses, whilst also lowering the number of complaints that ICO receive. However, this writer feels that the guidance falls short of what really is required in this area, which is currently abused by many prospective litigants who are not using the DSAR for what it was originally designed – under Recital 63 to ‘be aware of, and verify, the lawfulness of the processing of their personal data’.
Organisations are encouraged to stay prepared for DSARs, which they can do by ensuring they are aware how they collect and process data, retain it and to ensure that appropriate policies and procedures have been put into place. We hope the below guidance also assists to simplify matters.
Key points from the ICO’s DSAR guidance
Please refer to the ICO’s entire guidance for in depth information, but a few common points have been selected below to assist further.
| Issue | Guidance |
| DSAR format | DSARs can be submitted informally; they do not have to be in a certain format to be enforceable. Workers can make requests verbally or in writing, including via social media. The request does not need to mention the right of access or the UK GDPR, it just needs to be a request for an individual’s own personal information.
* Employees in the workplace need to be aware of how to recognise a DSAR and what to do if they receive one. |
| Exemptions from the right of access | On some occasions, exemptions under the UK GDPR from the right of access may apply and employers can withhold some or all the information requested by an employee (e.g. if the data cover more than one data subject, legal reasons, management information, etc). However, employers must apply exemptions on a case-by-case basis and must justify and document the reasons for relying on them.
Employers can also refuse to comply with a DSAR if it is manifestly unfounded or excessive and the new guidance under the Data Reform Bill may assist further when enacted (but this has been further delayed as of Feb 2024). The guidance and the ICO’s original right of access guidance state that a request is not necessarily excessive just because a large amount of information is requested. All of the circumstances of the request must be considered. |
| DSAR served alongside grievance or tribunal process | Employers need to comply with a DSAR even if the worker is undergoing a grievance or tribunal process and employers have already disclosed the information through another process such as disclosure. If employers believe it is not appropriate to disclose the relevant information, they must demonstrate which exemption is relied upon and why.
The UK government have proposed changing the threshold for refusing to respond to/charge a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ under the Data Protection and Digital Information (No. 2) Bill (referred to as the Data Reform Bill). One example of “vexatious” provided by the Government in the new Bill was a disgruntled employee leaving their employment on bad terms and serving a DSAR. It remains to be seen whether the current draft of the Bill will become law, and when (likely to be late autumn) or whether the ICO will provide some guidance confirming that a DSAR can be rejected if it is viewed as a vexatious “fishing expedition” following an employee’s hostile departure. |
| Email
information |
The right of access applies to emails the worker is copied into which contain personal information about the worker. Employers must assess the emails’ content and consider what information in the email is the personal information of the worker making the DSAR. Soley being copied into an email does not suffice as the individuals’ personal data.
The guidance contains an example in which rather than providing all the emails in which the same personal data is held (i.e name and email address) the employer could provide a summary of this information, but it must be clear what this is indicating and be able to be ‘understood’ as a response. |
| Use of personal communications | Consider whether workers’ personal communication methods (e.g. personal emails, WhatsApp, social media) are within the control of the company and, if so, they need to be included. |
| Social media platforms searches | The UK GDPR places a high expectation on employers to provide information in response to a DSAR which include making searches on social media platforms used by the organisation for any personal information within scope.
(DSAR’s also encompass personal data within CCTV and audio recordings, check retention periods to cross refer what, or how many are in scope). |
| Transparency when withholding information | Where a decision is made not to provide data in response to a DSAR (for example, if searches are considered to be disproportionate, or it is unreasonable to include certain emails to/from the data subject and third parties in order to protect them), then the employer must be as transparent as possible and outline the refusal with reasons to the individual making the DSAR. |
| Settlement Agreement clauses | Even if a settlement agreement has been signed, this cannot override the right of access to one’s personal data.
Nowadays settlement agreements often include a term/clause that states that the associated DSAR will be withdrawn (if applicable). However, this does not prevent a data subject from making a new DSAR or asking for one to be undertaken in the first place. |
DSARs often involve high volumes of data, require the removal of third-party data and relate to contentious circumstances. Employees often raise a DSAR when involved in a grievance, dismissal or tribunal process, and the process can become additionally complex if the grievance involves allegations concerning colleagues. If adopted the new Data Reform Bill may assist in this area, but it is limited in its guidance.
Employers also need to be mindful of third parties’ rights (including other employees) when considering whether to disclose information which identifies another individual. Issues around consent may arise and it may not be appropriate to seek the consent of a third party as they become aware a DSAR has been made. Ensure to consider their consent, existing Employee policies you have in place and the protection of third parties’ identity.
The new guidance gives an example of witness statements, used for internal disciplinary or investigative issues in the workplace, which often contain information that identifies other individuals. The guidance considers whether it is possible to disclose witness statements when responding to a DSAR and runs through factors that employers should take into consideration when deciding whether to disclose the statements.