Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: ICO's guidance on DSARs for employers

In this Insight article, Toby Pochron, from Freeths, presents a comprehensive overview of the Information Commissioner's Office's (ICO) guidance on Data Subject Access Requests (DSARs) for employers. Toby delves into the key aspects and practical considerations, equipping employers with valuable insights and actionable recommendations in navigating the complex landscape of DSARs.

Data protection legislation has been one of the fastest-evolving areas of law in recent years. An area that has continued to be strengthened and reinforced year after year is the right of access to data for data subjects.

Employers play a crucial role in ensuring that data protection rights are upheld and maintained. It would certainly be arguable that an employer is likely one of the organizations that holds the most data about a data subject, in this case, their employees. The data that an employer holds could reveal significant amounts of sensitive information about that employee, including their financial details or sensitive data about their health and well-being.

Eoneren / Signature collection /

On May 24, 2023, the ICO published new guidance specifically targeted at employers on how to respond to DSARs. This is interesting in itself, as all data controllers are required to ensure that they comply with the legislation and allow the right of access. The ICO has already provided guides and information related to this general obligation for all controllers. This raises an initial question: why do employers warrant special treatment?

Perhaps there is a relaxed approach in respect of employers who may not consider themselves to be controllers of data in a commercial sense. Using data in the context of providing services to a customer requires deliberation and a commercial aim. However, employees use data primarily for their benefit, such as receiving their salary, operating company benefits, ensuring sick pay, and guaranteeing rights to pensions. This perception might lead employers to believe they can evade the strict requirements of the DSAR regime.

For an employer, the first encounter with a DSAR will usually be when it is submitted together with a grievance from an employee, a former employee's claim, or during a disciplinary or poor performance process involving a disgruntled party. It can be surprising to discover the need to disclose large amounts of data. A DSAR may be used by a data subject as a means to lawfully seek to disrupt or confuse an employer during these processes for the benefit of the employee. If the employer adopts this perspective, they may tend to consider the request as manifestly unfounded and wrongfully made, providing them with the option to deny access.

The structure of questions in the new guidance suggests that employers have likely been posing questions and seeking clarification about what to do when they get a DSAR. While we cannot know the ICO's intentions, it appears that they may have recognized a recurring trend in this area, as the guidance certainly reads as a list of frequently asked questions. If this is indeed the case, it presents a way to reduce a trend in calls asking the same set of questions, which is commendable. This guidance is both practical and based in reality, making it a powerful resource and a positive development from the ICO.

It is best to start at the end here, and the ICO has clearly defined its role in this matter. The ICO is there to provide organizations with information and guidance. However, when it comes to questions like, "Can the ICO advise me on what to include in an SAR response?" the answer is straightforward: no. The ICO can offer guidance and information, but it does not provide a step-by-step approach to running your business.

Despite this straightforward response, the guidance is a useful refresher for employers on how to handle DSARs. In this Insight article, we will highlight the key and interesting aspects of the guidance and conclude with some best practice guidance. None of this guidance represents a groundbreaking shift; it is not new or revolutionary. What this guidance excels at is providing a concise summary or a ready guide for employers to answer some common queries for when a DSAR lands, especially for first-timers.

The guidance begins with a summary of the right of access, emphasizing a key point for employers, which is also highlighted in bold text by the ICO: Employers must respond to a DSAR without delay. This reinforcement serves to underscore that this is a legal right and should not be dismissed or taken lightly. Legal rights are legal rights and cannot simply be ignored.

The guidance then confirms that there is no prescribed format for the DSAR. This is a reminder that employers should be aware of; they need to be vigilant in recognizing DSARs, whether they come in formal requests, very short requests, confusing requests, or just spoken down a telephone. The same legal rights apply to all forms of DSARs, and the clock starts ticking as soon as the DSAR is received. A practical tip for employers is to make sure that their staff know what a DSAR is and how to spot one, especially since these requests can often appear innocuous. The ICO provides examples such as, "Please send me my HR file," "Can I have a copy of the notes from my last appraisal," "What information do you hold on me," and "Can I have a copy of the emails sent by my manager to HR regarding my verbal warning?" These may seem like routine requests for information and could easily be overlooked if not recognized as DSARs.

A good tip from the guidance with respect to clarifying a request is that an employer can do this, but they should only do it when it is genuinely required or when there is a large amount of information. These are the two clarification points named by the ICO. Employers should not be requesting clarification routinely just to extend the time limits or when it is evident that only limited information is involved in the DSAR.

The guidance also provides a helpful summary of withholding information or refusing to provide the right of access. Employers are to note that you cannot refuse requests in a blanket manner; it must be on a case-by-case assessment. Moreover, if an employer decides to do this, they must ensure that they document the reason behind their decision. In the event of a complaint, the ICO will require access to these records to understand how the employer came to that decision.

There are some useful employment-specific scenarios that are also mentioned in the guidance. We will briefly mention the points concerning 'information about others' in this note, emphasizing that employers should seek consent for disclosure if they can (or when consent is feasible). In cases where consent is not obtained, the employer should make the necessary redactions. However, it is important to note that only the necessary redactions should be made, to avoid overly cautious blackouts that may obscure other relevant and potentially disclosable information.

The ICO then looks at several specific scenarios that commonly arise for employers in practice. Notably, there is a great piece of guidance about witness statements used in internal processes. In summary, employers will usually be required to disclose witness evidence unless these statements were provided with an expectation of confidentiality, and redacting the statement would not effectively conceal the writer’s identity. This is particularly relevant for employers going through confidential investigations in respect of discrimination or harassment. If it is clear that the witness's identity would remain discernible despite name redaction, for example, there may be no obligation to include it in a DSAR response. Employers must remember the distinction between DSARs and normal employment practices. The obligation to disclose under a DSAR may not apply, but separate considerations of natural justice should be taken into account within the internal employment process. This also pertains to employment tribunal proceedings and the internal grievance process. The ICO confirms that an employer cannot simply refuse to provide personal information because it may be used in litigation. Employers may rely on exemptions only when they genuinely apply, not merely to gain an advantage in a separate claim.

The guidance addresses the rights of whistleblowers, who have the right to statutory protection. Employers are reminded to balance the legal rights of whistleblowers, ensuring they receive adequate protection while also considering the rights of the individual making the DSAR. If disclosing a whistleblowing report would compromise an investigation or subject the whistleblower to harm or detriment, a decision could be taken to not disclose it.

DSAR for references is a common issue for employers. If an employee suspects that an employer has been making unfavorable statements to a potential new employer, resulting in a job offer being withdrawn, they typically want to know what was said. The guidance reconfirms that confidential references are exempt from a DSAR if they pertain to the education, training, or employment of someone, someone working as a volunteer, appointing someone to office, or the provision of any service by someone. A great practical tip for employers who want to rely on an exemption when providing a reference is included with the guidance: clearly state that the reference is confidential and provided to the receiving party on that basis. This should be backed up by a privacy statement or an internal policy document that confirms the same. In the absence of such documentation, an employer still needs to consider disclosure on a case-by-case basis and will have to balance the reasons for withholding the information against the risk and impact on the other parties involved, such as the referee personally.

The guidance on legal professional privilege (advice from solicitors), prevention of crime, assessment of taxation, and withholding management information used for forecasting or upcoming changes remain consistent with previous guidance. However, an interesting and often overlooked note is that if you are in negotiations with an employee, usually to settle a claim or facilitate their exit through a settlement agreement, records of negotiation intentions are exempt from the right of access if they would prejudice an employer's position in the future. This exemption generally applies only while negotiations are ongoing. Once negotiations conclude, whether by one or both parties, this exemption is less likely to continue. A DSAR does not affect the without-prejudice nature of correspondence and its non-disclosure to a court or tribunal. However, the information contained in these negotiation records could be particularly valuable to an employee in an ongoing claim.

Building upon this, there is a reminder that non-disclosure agreements (NDAs) and Settlement Agreements do not undermine the right of access. An employee may agree to withdraw an already submitted DSAR as part of an agreement or agree not to pursue a claim. However, if a new DSAR is issued later, the NDA or Settlement Agreement cannot override the right of access.

The guidance also provides clarity on what types of searches should be undertaken in order to comply with the DSAR. An employer has to provide CCTV footage to an employee. If this footage contains other people's data, it should be redacted using a blurring tool or their consent should be obtained. Submitting CCTV footage without consent may be reasonable in certain circumstances. The guidance reminds employers that they should be doing searches across all platforms, including social media, internal messenger, chat channels, etc. Employers must make efforts to search these platforms. In practice, these platforms are often not designed for easy information retrieval. Employers need to consider this now and how they are going to capture this information, especially in cases where messages are frequently sent, as this could result in a substantial amount of data. Employers may use exporting functions or reporting tools, and a technology-based solution is preferable to taking screenshots of massive amounts of messages.

This guidance regarding where to search for data aligns well with the queries about handling work emails. Again, there's good clarity provided here. An employer may not have to disclose all the emails in which an employee has been copied, but they need to consider whether the content is personal information. Just being copied into routine business communication does not mean that the email's body contains the employee’s data, but their email address is still considered their personal data. Even if an employee has worked for a short time, there could still be massive amounts of emails that flag in an initial search but do not actually contain relevant personal data. The ICO confirms that it may be considered manifestly excessive if there are a large number of entries. However, simply deeming a request as excessive based on the number of results is not the best practice. Employers should still consider if they can provide information in summary form. For example, a confirmation that there are thousands of emails that just confirm the requester's name and email address is a step towards compliance and should assist employers in managing this challenging task. It is crucial to remember that a request is not necessarily excessive just because a large amount of information is requested.

The guidance on what to consider for a manifestly unfounded request remains the same. A practical tip to remember is that using foul or abusive language in a request does not automatically make it manifestly unfounded. The core considerations for manifestly unfounded requests continue to revolve around the requester's intent, whether it involves harassment, malicious intent, causing disruption, or a clear lack of genuine intention to exercise their right of access. The offensive tone alone is not the sole determinant.

DSARs are not easy for employers. The best practical steps that an employer can take now involve careful planning. Establish a clear procedure for those dealing with these requests, train all staff on how to spot requests and what their obligations are, confirm to all staff that their emails are disclosable, and they should not write anything with an expectation that it will not be seen by someone it mentions. Make sure all communication channels are set up for easy retrieval of data. For HR teams and those doing internal processes with employees, it is essential to be aware of what is and is not disclosable. Additionally, ensure that privacy policies or other internal policies clearly set out how references, witness statements, or negotiation notes will be handled.

Toby Pochron Director
[email protected]
Freeths LLP, England