GLD Vacancies

ICO issues new guidance for employers on dealing with subject access requests

The Information Commissioner’s Office (ICO) has published new guidance for employers on responding to Subject Access Requests (SARs).

The guidance comes just a week after two local authorities were reprimanded for SAR delays.

The ICO said some organisations were unaware that SARs can be submitted via social media and do not have to contain the words' subject access request'.

The right of access gives someone the right to request a copy of their personal information from organisations, including where they got the information from, what they're using it for and who they are sharing it with.

Individuals can request the personal information held by their employer or former employer, and organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex.

The guidance features answers to a broad range of questions on how SARs can be submitted, clarifying requests, withholding information, non-disclosure agreements, tribunals, non-work related personal information, and CCTV footage.

Commenting on the guidance, Elanor McCombe, Policy Group Manager at the Information Commissioner's Office, said: "The right of individuals to access information that organisations hold on them is one that is vital for transparency, and is enshrined in law."

She added: "What we're seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests.

"For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words' subject access request' in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to."

On submitting SARs, the guidance note says: "UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. Workers can make requests to any part of your organisation, and they do not have to direct it to a specific person or contact point. However, you should have a designated person, team and email address for SARs."

Last week, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to SARs on time.

Norfolk had only responded to 51% of SARs on time between April 2021 and April 2022, while Plymouth was found to have taken up to two years to complete SARs in 18 separate cases.

Three other local authorities - the London Borough of Lambeth, the London Borough of Hackney and the London Borough of Croydon - were reprimanded in September 2022 for delays.

Adam Carey