Subject access request: Guide for employers
- AuthorMartin Cornforth
This guide provides practical guidance for responding to subject access requests made by employees pursuant to the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018). As such this guide is limited in scope and does not cover wider data protection obligations.
An employee has the right to be informed by an employer as to whether their personal data is being processed, and if so, the employee is entitled to a copy of their personal data.
What is required by an employee when making a subject access request?
A subject access request may be made in writing, by email or other electronic means, and/or verbally. The employer should provide means for requests to be made electronically.
The ICO notes that an individual may submit a request, "to any part of your organisation and they do not have to direct it to a specific person or contact point."
Employers should consider directing requests to a member of staff who understands what a subject access request is and the organisation's procedures. Standard forms can make it easier for organisations to recognise a request. However, since a request is equally valid whether submitted by letter, email or verbally, employers can't require that staff use any such form.
A request may be framed widely, even to the extent of "any personal data that is processed" about the employee. The UK GDPR indicates that where a requester seeks a large quantity of information, employers can ask the employee to specify the information sought before responding. In such cases, the time limit for responding to a request is paused until the employer receives clarification.
In many contexts, there will be thousands of pieces of data processed about an employee (for example, computer log-on files, records of web searches made, emails and associated metadata). If a request is not limited, the employer could argue that it is "manifestly unfounded or excessive" and seek to charge a fee or refuse to act on the request. The more focused and reasonable an employee is, the harder that argument will be. Establishing that a request is "manifestly unfounded or excessive" is a high hurdle to overcome in practice and only an exceptional case would fall into this category.
Employees frequently ask for documents when making subject access requests, however no right currently exists to see documents (as opposed to personal data).
Responding to a request
What is personal data?
An employer is not required to provide all information requested but only personal data relating to the employee who made the request.
The UK GDPR (read with the DPA 2018) defines personal data as: any information relating to an identified or identifiable living individual ('data subject')." It adds that an identifiable living individual is a person identifiable, directly or indirectly, by identifiers such as a name, an identification number, location data, an online identifier or characteristics specific to that person (for example physical, mental, economic or social characteristics).
The UK GDPR covers the processing of personal data in two ways:
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
As such the UK GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’.
Information is only personal data if it concerns a ‘natural’ person. Consequently, information about a limited company does not constitute personal data and does not fall within the scope of the UK GDPR. Similarly, information about a public authority is not personal data.
However, the UK GDPR does apply where personal data 'relates to' individuals acting as sole traders, employees, partners, and company directors where the information relates to them as an individual.
It will often be clear where data ‘relates to’ a particular individual. Data which identifies an individual, even without a name associated with it, may be personal data if the purpose of the processing is to learn or record something about that individual, or where the processing has an impact on that individual. Therefore, data may ‘relate to’ an individual in several different ways.
The ICO guidance provides the following example of where processing would or wouldn't 'relate to' an individual:
"A biscuit factory records information about the operation of a piece of machinery. If the information is recorded to monitor the efficiency of the machine, it is unlikely to be personal data.
However, if the information is recorded to monitor the productivity of the employee who operates the machine (and his annual bonus depends on achieving a certain level of productivity), the information will be personal data about the individual employee who operates it."
Receiving a request
On receipt of a request, the employer should make an initial assessment considering:
- The extent to which it processes data concerning the employee.
- The scope of the request.
- Whether it intends to respond.
- If it is going to respond, whether the nature or scope of the employee's request will have an impact on the timing of a detailed response.
- What its approach to finding the employee's personal data will be.
The ICO has indicated that if the status of a request genuinely lacks clarity, the time for responding does not begin until the employer has clarified the employee's intention and what personal data they are requesting. The employer should contact the employee quickly and explain why clarity is sought. The employer should keep a record of any conversation about the employee's request and the date when it sought and received any further explanation.
An employer receiving a request must make sure that the request comes from the person purporting to make it. As such the employer can seek additional information where reasonable to doubt the identity of the employee. This would not apply where someone's identity is obvious, which is particularly likely to apply to an ongoing employment relationship.
Where information about identity is sought, formal identification documents should not be requested unless necessary. There may be other ways to verify identity such as usernames and passwords.
Timing of response
The starting point for the rules regarding timing are as follows:
- A data subject access request must be dealt with without undue delay and in any event within one month of receipt of the request.
- That one-month period may be extended by up to two further months where necessary, in consideration of the complexity and/or number of requests.
The employer must inform the employee of any extension within one month of receipt of the request, together with the reasons for the delay.
The ICO has clarified that the time limit starts to run from either receipt of the request, or receipt of:
- Any information requested to confirm an employee's identity; or
- A fee where an employer has been entitled to charge one.
When considering whether to extend the timescale for responding, the complexity of a request depends upon the specific circumstances. The employer's size and resources are likely to be relevant factors.
The ICO gives the following as examples of factors that may, in some circumstances, add to the complexity of a request:
- Technical difficulties in retrieving the information.
- Applying an exemption involving large volumes of particularly sensitive information.
- Any specialist work to obtain the information or to communicate it in an intelligible form.
- Clarifying confidentiality issues around the disclosure of sensitive medical information.
- Needing specialist legal advice.
- Where the request involves a large volume of information and retrieval is difficult.
Finding, retrieving and redacting personal data
Dealing with a subject access request can be demanding and time-consuming, particularly in an employment context where data may be unstructured and includes details of other individuals. Such data will probably require redaction.
Although an employer must make genuine and extensive efforts, it does not have to go so far as to leave no stone unturned when searching for information. The ICO suggests that the employer must make "reasonable efforts" to find requested information but employers are not required to "conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information". To decide whether searches may be unreasonable or disproportionate, the employer must consider:
- The circumstances of the request.
- Any difficulties involved in finding the information.
- The fundamental nature of the right of access.
Even if searching for some information may be unreasonable or disproportionate, an employer is still required to search for other information within the scope of a request. Employers should ensure that their information management systems are well-designed and maintained, so that they can efficiently locate and extract requested information and, where necessary, redact third-party data.
The primary task is to find the relevant personal data. Most electronic information can be found and sorted relatively easily. Emails are usually the starting point and, because of their unstructured nature, the most difficult to deal with. Typically, an employer would:
- Look at a number of individuals' mailboxes and use search tools to identify emails that refer to the employee. In using search tools, it would be normal to search for the employee's name and other identifiers commonly used such as abbreviations, nicknames and initials.
- Having identified a pool of emails that refer to the employee, the employer may then search and seek to narrow that pool by dates (if relevant) or by other appropriate criteria (for example "redundancy" or "performance").
- Assessing whether any personal data relates to other individuals. That data falls into two categories:
- personal data relating to other individuals that does not relate in any way to the employee ("non-relevant personal data"); and
- personal data about the employee that is also information about another individual.
If the personal data is also information relating to another individual, unless that individual has consented, the employer must consider the reasonableness of disclosing the information without consent. If unreasonable to disclose the information without consent, the employer should consider whether, by redacting information, it would be possible to provide the employee with at least some of the personal data sought. If so, the employer would then redact that "other individual" personal data.
The reasonableness of disclosing "other individual" personal data without consent depends on context. Even in the absence of consent, it is likely to be reasonable to disclose information where the other individual's role includes line management responsibility for the employee making the request and the information relates to performance of that role. By way of contrast, it will be more difficult if, for example, there is a request by a person alleged to have engaged in sexual harassment for information as to who made the allegation and what he or she said. In such cases, in the absence of consent, the serious nature of the allegation (which might point to disclosure) must be weighed against factors such as any duty of confidentiality owed to the complainant, the circumstances of the complaint and any potentially adverse consequences for the complainant of revealing his or her identity.
The ICO's SARs Q&A for employers provides guidance on dealing with emails an employee is copied into. It states that an employer must consider what information in the email is the personal information of the requesting employee, the content of the email and the context of the information it contains. It is for the employer to determine whether any of the information in the email is the requester’s personal information. According to the ICO, the employer should keep in mind that:
- As the right of access only applies to the requester’s personal information contained in the email, partial disclosure of an email may comply with the request.
- Email about business matters, could be the requester’s personal information, depending on the content of the email and whether it is about the requester.
- Just because the requester receives the email, this does not mean that the whole content of the email is their personal information. The context of the information is key. However, the requester's name and e-mail address are their personal information, and an employer must disclose this information.
Deletion of data, generally aims to remove it, as far as possible, from the employer's system. Although it may be possible, at least in theory, to recreate it, that is not something that the Information Commissioner expects or requires. However, the employer must not delete data to defeat a subject access request. It is an offence for an employer, or a person employed by the employer, to alter or erase information with the intention of preventing disclosure.
Unless the employer is data controller, data held on systems not operated by the employer fall outside the scope of a subject access request. However, if employees are permitted to hold personal data relating to work on their own devices, they may be acting as the employer's agent and, if so, that data would be within the scope of the subject access request.
The ICO's SARs Q&A for employers notes that an employer must search its social media platforms for any personal information if that information falls within scope. It should consider social media posts supplied by others as potentially in scope.
Exemptions to providing subject access
There is no obligation to comply with a subject access request in relation to:
- Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings.
- Purely personal or household activity. This covers personal information, but probably not records made personally in a work context.
- A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference whether processed by the reference giver or the recipient.
- Personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a subject access request would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed in advance of it being announced to the rest of the workforce.
- Personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations.
Other exceptions relate to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services.
If an exemption to the rules on subject access is relevant, that personal data should be redacted or otherwise removed.
Supplying information to the employee: required contents
A response to a subject access request should include a copy of the personal data being processed plus certain additional information as explained below.
The employer's response should be in writing or, if appropriate, by electronic means. If the request was made originally by electronic means, information should be provided "in a commonly used" electronic form unless otherwise requested by the employee.
The employer must supply a copy of the personal data concerning the employee, subject to the rules on data that also identifies other individuals. The following should be borne in mind:
- Although the requirement is to provide a copy of personal data, not a specific document, it will often be easiest to produce a copy of the document with redactions.
- Redactions may be made to protect the identity of another individual who is identified through the employee's personal data.
- Although it will often be easiest to produce a copy document with redactions, the personal data could be extracted and copied to a different document.
- Personal data may be repeated in various places, but only need be provided once.
- Where there is a large quantity of largely repetitive data, a possible approach may be to summarise the data fairly and in reasonable detail. If such an approach is taken, it is essential that it is not used to hide information that the employer prefers not to disclose. This approach is underpinned by the principle of proportionality, so may be challenged by the employee and examined closely by the Information Commissioner.
- Make sure that when providing copies, there is no inadvertent disclosure of personal data about others.
The subject access request must also include the following information, which might in practice all be covered in the employer's Privacy Notice:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom data has been or will be disclosed;
- the period during which personal data will be retained (or, where this is not possible, the criteria for determining how long it will be stored);
- information on the source of the data (if it was not obtained directly from the employee);
- whether automated decision-making (including profiling) has been used and, if it has, information about the logic involved, as well as the significance and envisaged consequences of the processing for the employee;
- information regarding complaints and disputes: the right to complain to the ICO, the right to request rectification or erasure of personal data, to object to processing of data or to restrict that processing; and
- where personal data is transferred to a third country or an international organisation, information on any Article 46 safeguards (for example, use of model clauses or binding corporate rules).
If the above information is set out in an employer's privacy notice, the employer can provide a link to, or a copy of, the notice to the employee.
SAR Q&A for Employers
On 24 May 2023, the Information Commissioner's Office (ICO) published guidance on subject access requests (SARs) for businesses and employers, "SAR Q&A for Employers".
Key questions and answers include the following:
- Do we have to advise the requester if we are withholding information? The ICO advise that although employers should be as transparent as possible, an employer may not need to advise that information is being withheld if this would defeat the object of the exemption
- We’ve had a request for CCTV footage, but it contains images of other people. Do we have to disclose it? The ICO confirm that CCTV footage would be personal information requiring disclosure if requested. They recommend that employers install CCTV that is capable of redacting information relating to third parties. If this is not possible, the ICO recommend obtaining consent of the third parties or considering if it's reasonable to disclose without consent.
- What happens if a worker isn’t happy with their SAR response? The ICO recommend that requesters initially complain to their employer and that the parties attempt to resolve the issue. When responding to a request it may be worth informing the employee that any complaint should be raised with them directly first. A complaint to the ICO should be a last resort.