The right of access, commonly referred to as a subject access request or SAR, gives someone the right to request a copy of their personal information from organisations that process their personal data.
They are entitled to be told where the information came from, what it is being used for and if and with whom it is being shared.
On 24 May 2023 the Information Commissioner’s Office (ICO) published ‘SARs Q&A for employers‘, containing guidance on SARs , alongside a blog entitled ‘It’s important not to get caught out’.
According to the blog the ICO received over 15,848 complaints relating to SARs from April 2022 to March 2023. The ICO’s view is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to them.
Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. The blog notes that if organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.
The Q&A contains responses to the following questions:
- What is the right of access?
- Do people have to submit a request in a certain format?
- Can we clarify the request?
- When can we withhold information?
- Do we have to advise the requester if we are withholding information?
- Do we have to comply with a SAR if the worker has signed a non-disclosure or settlement agreement?
- Do you need to comply with a SAR if the worker is going through a tribunal or grievance process?
- Do we need to disclose any non work-related personal information?
- Do we have to disclose emails that the worker is copied into?
- Do we have to include searches across social media?
- We’ve had a request for CCTV footage, but it contains images of other people. Do we have to disclose it?
- Can the ICO advise me what to include in a SAR response?
- What happens if a worker isn’t happy with their SAR response?
The ICO is in the process of generally overhauling its guidance on employment practices, which it is publishing in draft form in stages. It is currently analysing responses to its consultations on workers’ health information and monitoring at work. It is likely that the next stage of its consultation will cover recruitment and selection and employment records.
For further information, please contact:
Meriel Schindler, Partner, Withersworldwide
meriel.schindler@withersworldwide.com