Subject Access Requests under the GDPR: What employers need to know

On 25 May 2018, a new Subject Access Request (‘SAR’) regime came into force. This blog sets out the key changes employers need to be aware of and provides some practical tips to ensure you are best prepared to deal with SARs once the GDPR is in place.

What is a SAR?

SARs are a familiar concept, currently found in the Data Protection Act 1998 (‘DPA’). They entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation. This right will continue under the GDPR.

According to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

What if employers fail to comply with a sar?

A failure to meet the deadline or provide employees with access to all the data they request could expose employers to significant penalties.

The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, reprimands, ordering compliance and imposing large fines.

How will the GDPR change the current SAR regime?

The right for individuals to gain access to personal data that organisations hold about them is the key principle of the DPA and will continue to be so under the GDPR. There are, however, a number of key differences employers must be mindful of:

Time to Respond to a SAR

Under the GDPR, employers must respond to a SAR ‘without undue delay and in any event within one month of receipt of the request.’ This shortens the previous 40 day limit under the DPA.

Despite the standard time limit for responding being reduced, the GDPR allows employers to extend the deadline by up to two months (so up to three months in total) where requests are particularly ‘complex or numerous.’ If this is the case, the data subject must be contacted within one month of making their request and informed why an extension is necessary.

The ability to extend the time limit will be extremely useful for employers dealing with particularly time-consuming requests. The burden of determining whether a request will be considered ‘complex’ is on the employer. Provided employers can evidence good reasons for the delay, it is generally considered unlikely that the ICO will challenge employers on this point, but this remains to be seen.

Employers should also look to the GDPR recitals, which helpfully provide practical guidance on the application of the new rules. Recital 63 suggests that where the employer processes a large quantity of information about the employee, they should ask the employee to ‘specify the information or processing activities to which the request relates’. However, the more the employee narrows down their request, the harder it will be to show ‘complexity’.

Fee for carrying out a SAR

Employers can currently charge up to £10 for carrying out a SAR. In practice, for employers the £10 charge rarely covers the cost of complying with a SAR, particularly where the request is complex and collating the information is especially time consuming.

Under the GDPR, the fee will be scrapped and the information must be provided free of charge, which may initially seem burdensome for employers. However, the ICO guidance explains that employers may charge a ‘reasonable’ fee if the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ It explains that the fee must be on the basis of the administrative costs involved of retrieving the information and will no doubt mean that the level of fee can vary significantly depending on the remit of the request.

‘Manifestly unfounded or excessive’ requests to employees

In addition to being able to charge for ‘manifestly excessive or unfounded’ requests, employers may now also refuse to respond to unwarranted requests. The ICO guidance explains that ‘you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.’

Nevertheless, determining whether the request is ‘manifestly excessive or unfounded’ is up to the employer. It would not be enough to simply say that the effort to search a pool of thousands of emails would be disproportionate without taking any steps to isolate the information or engage with a process of searching them. If it transpires that there are significant technical difficulties in recovering the information, then the employer may begin to move into the territory of showing the request is ‘manifestly excessive’. The bar for relying on this excuse is likely to be clarified by the courts in time. However, it is expected to be hard to overcome.

Electronic access to a SAR

From the 25 May 2018, it must be possible for employees to make SARs electronically. Where the request is made electronically, the information should be provided in a commonly used electronic form, unless otherwise requested by the individual.

The ICO also used its revised code on SARs to confirm that ‘individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites organisations’. It said that organisations can steer people to submitting SARs through a particular communications channel, but ‘may not insist on the use of a particular means of delivery for a SAR’.

The ICO said, however, that organisations are entitled to ask requesters to confirm their identity and that they can, in some cases, respond to SARs submitted via social media using other communications channels.

This is unlikely to have much of an impact in an employment context but it is important that the relevant staff are mindful of this change. Staff should be able to recognise a SAR, even when it is delivered through an alternative communication channel.

Organisations can withhold personal data

Under the GDPR, organisations can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security.

What are the exemptions from subject access under the GDPR?

The DPA currently sets out a number of exemptions which allow information to be withheld from data subjects in circumstances in which it would otherwise need to be disclosed.

Current exemptions which are relevant for employers include:

• Confidential references – employers do not have to provide subject access to references they have confidentially given in relation to an employee’s employment;
  
• Management information – personal data which relates to management forecasting or planning is exempt from subject access (to the extent complying with the SAR would be likely to prejudice the business activity of the organisation);
  
• Legal advice and proceedings – employers do not have to disclose data which is covered by legal professional privilege;
  
• Settlement negotiations – the subject is not entitled to personal data which consists of a record of the employers intentions in respect of settlement discussions that have taken place or are in the process of taking place with that individual.

There is no such list of exemptions set out under the GDPR. However, Article 23 allows national governments to introduce exemptions to various provisions in GDPR, including SARs, by way of national legislation based on a list set out in that article. This list contains the same categories as in the DPA e.g. national security, crime prevention, regulatory functions etc.

Recital 63 of the GDPR also notes that exemptions could extend to the protection of intellectual property rights and trade secrets.

The government has stated that its objective is to ‘preserve the effect of the exemptions in the DPA to the extent permitted under the GDPR’. Therefore, it is expected that the current exemptions set out above will continue to apply.

What steps can employers take prepare for the new sar regime?

As an employer, there are numerous actions you can take to ensure you are ready for the changes. Below are a number of suggestions we recommend considering:

• Updating internal policies and procedures on responding to requests from individuals in relation to their personal data in line with the new wider GDPR requirements and rights which now include - the right to access personal data, right to data portability, to rectify and delete data, to restrict and object to processing, and to lodge a complaint with a supervisory (data protection) authority;
  
• If there is not already one in place, outline a process for handling SARs, e.g. how to identify what constitutes personal data, what data is third party data and what obligations the organisation now has to fulfil to ensure it is compliant;
  
• Train staff to identify when a request from an employee is a SAR, ensure they are aware of the new shorter deadline for responding and how to deal with requests as efficiently as possible;
  
• Keep tabs on all the systems where personal data is held – this is in line with the new obligation under the GDPR to keep records of processing activities (Article 30). This can cover hardcopy documents as well as information stored electronically such as emails, text messages and spread sheets;
  
• Update internal IT systems to allow for deletion, transfer of personal data and ensure that data pertaining to an individual can be quickly isolated;
  
• Review your organisation’s data retention policies and ensure the relevant individuals are aware of them;
  
• Consider preparing template response letters to guarantee that all elements of a response to a SAR are being complied with under the GDPR which should help make SAR responses more efficient and thorough;
  
• Ask the relevant staff to run a ‘SAR dress rehearsal’ before the deadline to ensure that the process runs smoothly in practise;
  
• Consider GDPR best practice and consider setting up a ‘data subject access portal’ which can allow an individual to access their information quickly, easily and remotely. However, employers must remain mindful that this should not ‘adversely affect the rights and freedoms of others,’ therefore careful thought will need to be given as to whether third party data should be redacted before putting it on the portal.

Important note - Since this blog was published, the General Data Protection Regulation (‘GDPR’) has come into force and the content of this blog has not been updated to reflect the new regime.

Should you have any GDPR or data protection queries, please contact our data protection team.