On 24 May 2023, the Information Commissioner’s Office (ICO) published new guidance for employers and businesses on responding to subject access requests (SARs). The guide is a helpful tool for organisations in ensuring they comply with their obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) when responding to requests for personal data. In particular, the ICO has supplemented the document with a useful ‘SARs Q&A for employers page’ which signposts some of the commonly arising issues for organisations, including those which have recently been the subject of sanctions. Some of the key takeaways from the guidance and the new Q&A page are:
1. There are no formal requirements for a valid SAR
The guidance reminds organisations that SARs may be directed to any individual within an organisation; they may be made via social media; they do not need to include the words ‘subject access requests’; and that they may mistakenly refer to legislation other than the UK GDPR and DPA but nevertheless constitute a valid SAR.
To safeguard organisations against the potential risk of failing to identify a SAR when submitted informally, the ICO encourages organisations to ensure all staff members are wary of the organisation’s obligations to respond to SARs and can correctly identify them. Additionally, the guidance suggests that organisations employ designated individuals to respond to any SARs they may receive.
2. Strict time limits apply when responding to SARs
The guidance emphasises that a failure to comply with the time limits set on responding to SARs can result in regulatory action, including either financial sanctions or reprimands.
The ICO helpfully clarifies, however, that the time to respond to a SAR can be extended when the request is particularly complex, and that organisations have a right to seek clarification of the exact nature of the information sought by the requester before responding, thereby “stopping the clock” on the response time.
3. There is no obligation to respond if the request is manifestly unfounded or manifestly excessive
An organisation will also not be required to respond when disclosure would include, amongst other things, information identifying an individual other than the requester, a confidential reference, or documents subject to legal professional privilege. The guidance provides helpful examples of when these, and other exemptions, may be applicable and the recommended steps to adopt in determining their applicability.
4. Compliance with a SAR is required irrespective of whether the requester is in the process of the tribunal or grievance processes
However, if certain documents (such as witness statements) contain the personal data of third parties given in confidence then it may be inappropriate to disclose such documents. It’s also important to note that whistle blowers are protected by the Public Interest Disclosure Act 1998.
5. Searches of all electronic systems are necessary
Personal information can include the contents of emails stored on computer systems and that disclosure may require providing redacted versions of email correspondence. A SAR may also require searches across social medical platforms, including Facebook, WhatsApp and Microsoft Teams chat channels to be conducted for any personal information shared about the requester.
6. Enforcement action may be taken due to non-compliance
According to the ICO, between April 2022 and March 2023, 15,848 complaints related to SARs were reported to the ICO. Where an organisation has failed to comply with a SAR, the ICO can take action by issuing a warning, reprimand, enforcement notice or penalty notice.
Non-compliance by way of delayed or non-response to a SAR has clearly been the most significant issue within the health and government sectors. For example, the ICO recently issued reprimands against both Norfolk County Council (Norfolk CC) and Plymouth City Council (Plymouth CC) for their statutory infringements relating to SARs. Investigations conducted by the ICO identified substantial delays on the parts of these councils in responding to SARs, with some requests still not have been responded to despite periods of up to two years passing since they were made. Notwithstanding the significant mitigating factors identified in each of these cases (which included, for example, the impact of the Covid-19 pandemic on the ability of Norfolk CC to access manual records, or the efforts of Plymouth CC to log and track SARs with KPIs), the ICO determined in both cases that reprimands were appropriate and made recommendations to both bodies to ensure their compliance with the GDPR and DPA.
While the guidance and new Q&A page have been published in the context of the ICO expressing its intention to move away from financial sanctions towards public reprimands, organisations should be reminded that reprimands can still act to significantly damage the reputation and should not be taken lightly.
Browne Jacobson’s specialist data team is here to answer any questions you may have about your personal data obligations and guide you through your requirements when responding to a SAR.
You may be interested in...
Data Shared Insights: Information sharing – why, when, how?
ICO consultation on fertility tracking apps
UK: Legal issues with deepfakes
New guidance for employers on Subject Access Requests published by the ICO
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Update on data protection claims - Austrian Post Case
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Government to expand network and information systems regulations
Mopping up after a leak – how businesses can take steps to protect their confidential information
Cyber security and data breaches
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Reaching cloud nine? Public procurement for cloud-based services
Protecting children and their data in the online environment
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
DSA approved: Targeted Advertising Rules explained
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Reaction: Supreme Court rules in favour of Google
The Supreme Court has unanimously overturned the Court of Appeal’s 2019 decision in the case Lloyd (Respondent) v Google LLC (Appellant) which allowed the claimant, Mr Lloyd, to serve a representative action on Google on behalf of over four million iPhone users who were seeking damages for ‘loss of control’ of personal data.
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2)  EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Claims club - 16 June 2021
Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.
High Court grants local authority injunction to prevent breach of confidence
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
Legal Update - Shared Insights
Shared Insights: Confidentiality and medical records
We talk about the key legal principles that apply when processing requests for access to confidential information and gave some practical tips on how to deal with issues that might arise when Trusts are dealing with complex information requests.
Health care apps – Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
The adoption of smart technology solutions by the health and care sector has exploded in 2020. The pandemic has driven the sector to increase its use of smart phone technology solutions (“Apps”), an example of which is conducting video consultations and assessments.
Brexit overview: your use of data and Brexit
Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.
Corporate transparency and register reform: Government response now published
In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.
In-House Lawyers - 12 June 2020
On demand webinar, focusing on practical solutions to utilise from home in agreements and dealings with business, data and digital law and how covid-19 has changed legal privilege.
Dealing with requests for information relating to subject grading
This year, schools are required to assess the grades students would have been likely to have achieved in their GCSE, AS and A level exams. As not all schools are fully open, we have set out guidance on both Freedom of Information, and Subject Access Requests in case you receive either or both types of requests over the next few months.