Context
The Information Commissioner’s Office (ICO) has published new guidance for businesses and employers on responding to Subject Access Requests (SARs). The right of access, commonly referred to as a SAR, gives someone the right to request a copy of their personal information from organisations. This includes where they got their information from, what they’re using it for and who they are sharing it with.
Key points to note
Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex.
Failing to comply to SARs is non-compliant with the law. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand. Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office says “The right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law.”
“What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.”
“It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.”
“For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”
Subject access requests form part of the UK General Data Protection Regulation (GDPR) and the DPA (Data Protection Act) and from April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the Information Commissioner’s Office. Last week, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests. In September 2022, the ICO took action against seven organisations who failed in their duty to respond to SARs.
The new guidance on responding to SARs can be read here.
Next actions
None – for information and awareness.