The Information Commissioners Office (ICO) recently updated its guidance on the way employers should respond to subject access requests (SAR) from employees, both previous and current.

With the number of SARs increasing, and the ICO having the power to impose sanctions for failure to respond to requests, there are a few main points that are important to consider when a subject access request is received.

The full guidance can be read here: ICO - Subject Access Request Guidance

Your employees, and former employees, have the right to access the information you hold about them. This includes telling them where the information came from, how it is being used, and who it is being shared with.

Any request by an employee about the information held about them should be regarded as a SAR. The request does not need to be formal or in writing. It can even be made on social media. A request can also be made to any part of your business and does not have to be directed to a specific person. However, if possible, you should have a designated team for responding to requests.

The time frame for responding to requests is 1 month from the date of receipt. However, if you need to ask the requester to clarify the request, this stops the clock until they provide the clarification.

A request for clarification should only be made if additional information is genuinely required or a large amount of information is kept. If the request is not narrowed down, the search only needs to be reasonable.
Information can be withheld from the requester if the request is manifestly unfounded or excessive, or where the documents include information about someone else whose consent you do not have to disclose the information.

Situations where a request may be unfounded include where the requester is making unsubstantiated allegations, or the request is designed to be disruptive. Similarly, examples of a request being excessive include repeated requests, or when responding to the requests is unreasonable when balanced with the burden and cost to you and the business.

Documents such as witness statements, whistleblowing reports, and confidential references may be redacted where they disclose information relating to someone else.

Documents that include communications between you and a legal adviser for the purpose of litigation are subject to legal professional privilege and are therefore not disclosable. Similarly, any correspondence with third parties, that relates to the prevention of crime, prosecution, or collection of tax, should also be withheld. Other information that may be withheld may be commercially sensitive management information.

Where the requester is suspected of a crime, they should not be informed why the information is being withheld.

If the requester is dissatisfied with the response to the subject access request, they should refer back to you in the first instance, and if they remain dissatisfied, they may complain to the ICO.

At GS Verde Law, we can provide you with support and further guidance in navigating SARs.

If you have any queries about this or another employment or HR matter, you can contact us here - or you can contact Simon Pathé, Director of Employment Law, at spathe@gsverde.law.