UK - Data Protection: New ICO Guidance For Employers On Responding To Data Subject Access Requests.

Workers have a right to make a data subject access request (DSAR) to obtain copies of any personal data that is being processed by their employer. This includes details of where the employer got their information from, what they’re using it for, who they are sharing it with and what information is being retained. The Information Commissioner’s Office (ICO) has recently published new guidance for employers on responding to DSARs, which aims to ‘support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.’

The ICO notes that in the year between April 2022 and March 2023 it received 15,848 complaints related to DSARs and this shows that ‘…many employers are misunderstanding the nature of subject access requests or underestimating the importance of responding to requests’. Some of the most frequently encountered compliance issues identified by the ICO in relation to DSAR’s include:

Confusion about what constitutes a DSAR, for example ‘…employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request’. The guidance therefore makes it clear that simple requests from a worker, such as ‘Please send me my HR file’, ‘Can I have a copy of the notes from my last appraisal?’, ‘What information do you hold on me?’, and ‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning’? will all qualify as a DSAR; and
Failure to respond to DSARs within the required time frame – which is without delay and within one month of receipt, extended by up to two months for complex DSARs.

The guidance also covers issues such as clarifying DSARs, the extent of the information that may be included in a DSAR and situations when the employer may be entitled to withhold information. The ICO has also taken the opportunity to remind employers that it can, and has, taken enforcement action for failure to comply with DSARs: ‘For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.’

For further information, please contact:

Fiona McLellan, Partner, Hill Dickinson

fiona.mclellan@hilldickinson.com

UK – Data Protection: New ICO Guidance For Employers On Responding To Data Subject Access Requests.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Shifts Workers – A New Right To Reasonable Notice.

Hong Kong – Keepwell Deeds: A Workable Solution To PRC’s Foreign Exchange Control?

The Catch And Kill Of Non-Disclosure Agreements? New UK Guidance.

EU – Tightening The European Union’s Powers To Review Foreign Direct Investments.

Malaysia – General Average And Salvage.

- Philip Teoh - Azmi & Associates, Azmi & Associates

Role Of Technology In Legal Service Delivery.

Process Optimisation In Legal Teams: Improving Workflow Efficiency.

CONVENTUS LAW

OTHERS

UK – Data Protection: New ICO Guidance For Employers On Responding To Data Subject Access Requests.

Register for your monthly Asia legal updates from Conventus Law

Footer

CONVENTUS LAW

OTHERS