The Information Commissioner’s Office (ICO) has recently published guidance and a blog on SAR’S for employers and businesses.
UK GDPR and Data Protection Act 2018 grants individuals various rights in relation to their own personal data held by their employer or past employer, including the right to access their own data as well as information as to how the business is using it, who it is being shared with and where the organisation got the data from.
There were over 15,000 complaints made to the ICO last year relating to the handling of SAR’s.
It is therefore imperative that businesses understand their responsibilities when dealing with an SAR as failure to respond promptly or at all can result in the ICO taking regulatory action against the business which may lead to fines or reprimands being issued.
All SAR’s must be responded to within one month of receipt of the request; this can be extended by agreement by up to two months if the SAR is complex. Even where a worker has signed a non-disclosure or settlement agreement an employer must comply with a SAR. If a settlement agreement limits a worker’s rights to access, then it is likely that the part which limits these rights will be unenforceable.
SAR’s can be made verbally or in writing and there are no formal requirements for a valid request. It is therefore important to ensure those who are responsible for dealing with SAR’s are aware of the obligations and how to recognise an SAR .
Where a SAR has been made and it is vague in its context an employer can ask the individual to specify what they are looking for which pauses the time limit until clarification is received. However, this shouldn’t be abused as a means to extend time if it is clear what it is the individual is requesting.
There are various exemptions from the right of access which may permit you to withhold some, or all, of the information requested. These exemptions must be applied on a case-by-case basis, and they must be justifiable.
If a business wishes to rely on an exemption, they are required to inform the requester of the reason for the refusal and detail the requesters right to make a complaint to the ICO and their ability to seek to enforce those rights through the court.
If you require advice on SAR’s, advice what should or should not be disclosed following a request, or whether you are able to rely on one of the exemptions please contact our employment team here.