New Guidance on Subject Access Requests
Under the UK’s data protection regulations, any person has the right to submit a Subject Access Request (“SAR”) and obtain a copy of any personal information which the organisation holds on them. In an employment context, SARs serve as a useful tool for employees who wish to request information from their current or former employer about their personnel file, fitness records, personal development records, minutes from meetings etc.
Where an organisation receives a SAR, they must respond within one month, although this can be extended to two months if the request is complex or if the employee has sent a number of requests.
Failing to comply to SARs, is acting in non-compliance with the law. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.
The Information Commissioner’s Office (“ICO”)- which is the UK’s independent body set up to uphold information- has reported that from April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the ICO. Elanor McCombe, Policy Group Manager at the ICO specifically referenced employers’ conduct, who often misunderstand the nature of subject access requests, or underestimate the importance of responding to requests.
The new guidance should therefore serve as a useful reminder to employers on how to comply with their obligations, as well as provide further insights into recurring issues such as; whether information can be withheld, steps to take if a worker is unhappy with their SAR response, and whether they have to disclose any non-work-related personal information.
One particular note of interest in the guidance is that employees’ right to request and obtain their personal data cannot be overridden by a settlement or non-disclosure agreement.
The guidance is set in a Q&A format.
To find out more information about the Guidance, please click here.