Has Your Organisation Considered the ICO’s latest SAR Guidance?
Individuals have the right to access and receive a copy of their personal data held by an organisation, which is most often referred to as a subject access request or “SAR”. This right allows individuals to review how and why their personal data is being used. SARs frequently present in the context of a dispute, be that involving an employee or a student. Responding to SARs can be burdensome for organisations due to the time commitment and cost in resourcing the response.
The ICO received over 15,000 complaints relating to SARs last year alone. Enforcement action was taken against seven organisations including the Ministry of Defence, the Home Office and Virgin Media, who failed to respond as required. The ICO have recently issued guidance, which will be a useful tool to ensure that your organisation complies with its statutory obligations under UK GDPR and the Data Protection Act 2018 (the Data Protection Legislation), particularly given the increased scrutiny over non-compliance.
The guidance takes the form of a Q & A with useful examples which shall help set the context when considering a SAR, which is briefly summarised below.
Time Limit - You must respond to a SAR within one month of receipt of the request, however you can extend the time limit for responding up to two months if the SAR is complex or if the individual has sent multiple requests.
Format - There are no formal requirements for a valid request and so it can be verbal or in writing, including over social media. The phrase “subject access request” does not need to be used, it just needs to be clear they are asking for their personal information. You should designate a person, team or email address for SARs, however the request may be made to any part or person within your organisation. As such it is important staff know how to identify a SAR and what to do if they receive a SAR.
Clarification - You can clarify the request but only if it is genuinely necessary in order to respond to the SAR and you process a large amount of information for that individual. The time limit for responding to the request is paused until you receive clarification.
Withholding Information - There are exemptions from the right of access which permit an organisation to withhold all or some of the information requests, which must be applied on a case-by-case basis. It will be necessary to document the reasons for relying upon any exemptions and to demonstrate the justification for relying on same. The exemptions include:
- If the SAR is manifestly unfounded, where the individual clearly has no intention to exercise their right of access, or the request is malicious in intent and used to harass your organisation with no reason or purpose other than to cause disruption. Indicators of malicious intent include unsubstantiated accusations prompted by malice or systematically sending different requests as part of a campaign with the intention to cause disruption.
- If the SAR is manifestly excessive, where the request is clearly unreasonable. Account of the circumstances must be taken including the (i) nature of the information sought; (ii) the context of the request; (iii) whether refusal to provide the information may cause substantive damage to someone; (iv) available resources; (v) if the request largely repeats previous requests received recently; or (vi) whether it overlaps with other requests. However just because the request will involve a large volume information does not make it excessive.
- The information sought includes information about other people, save where such third person consents to the disclosure or it is reasonable to comply with the request without the persons consent. In the context of an investigation or dispute, witness statements may be obtained and it will be necessary to consider the expectations of the party who provided the statement, whether they are capable of providing consent and the type of information the statement would disclose, such as the identity of the writer regardless of any redaction.
- Legal professional privilege - communications with your organisations legal advisers may be subject to legal professional privilege when they are (i) confidential in nature; (ii) made between client and legal adviser in a professional capacity; (iii) made or the purpose of obtaining or providing legal advice or being used by lawyers in possible litigation.
- Management information - an exemption applies to personal information that your organisation processes for management forecasting or planning and as such could refuse to provide this type of information if it is likely to prejudice the conduct of the business or activity. Examples include restructuring your organisation. You do not have to acknowledge that you hold this information.
Advising the requester of any withholding - This will depend on the circumstances on a case-by-case basis. It may not be appropriate in some circumstances if it would prejudice the purpose of the exemption. However, where possible you must be transparent.
Complying with SAR where there is a settlement agreement or NDA - If the requester has entered a settlement agreement or NDA, their rights to obtain their personal data will remain regardless and cannot be overridden by any such agreements. If any such agreements seek to limit an individuals rights to access their information, such provision is likely to be unenforceable under the Data Protection Legislation.
Disclosing emails the individual has been copied into - The requester may be copied into a number of emails and when assessing whether or not they should be disclosed it will be necessary to review what information in the email is the personal information of the requester. Just because the requested receives the email does not mean the whole content of the email is their personal information and so review of the context shall be key.
Do we have to include searches across social media? Should your organisation use social media platforms for business purposes, such as Facebook, WhatsApp and chat channels on Microsoft Teams, then your organisation is the controller for the information processed on those pages. As such you should search across those channels for any personal information that falls within the scope of the SAR. You should also consider posts supplied to you by others as potentially in scope, such as where an employee submits a copy of posts from a WhatsApp group.
The complete ICO guidance can be found here. It sets out the requirements of the Data Protection Legislation and clarifies how some of the rules can be applied in the workplace context. Following review, your organisation may wish to consider its policies and processes to ensure that they align with the guidance and organise updated SAR compliance training.
If you would like any further information or advice on these issues, please contact Rachel Toner from the Commercial team.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.