Search

How can we help?

Icon

ICO publishes enforcement notice after SAR failure

Subject Access Requests (SARs) are on the rise as more and more data is collected for social, personal and work purposes. In particular, we have noticed a significant increase within the context of employment and/or workplace disputes.  

DSARs are no longer exclusively the tool of those interested in how and what data is being processed. Instead aggrieved or disciplined, current or former employees are exercising their Article 15 (of the UK GDPR) right of access in order to review emails, notes (as long as this is processed), minutes of meetings, and anything else that includes their personal data.  

Companies should exercise huge caution when responding to SARS, in our experience we have seen countless examples of inadvertent sharing of someone else’s personal data or the withholding of personal data for illegitimate reasons.  

It is widely recognised that responding to such requests can be a huge burden on employers, depleting both financial and human resources. This is particularly prevalent where the employee has been employed for a significant amount of time and their submitted SAR is a general one for ‘all my personal data’.  

Whilst Data Subjects are entitled to this, the ICO mitigates the Data Controller’s obligations by only expecting them exercise reasonable searches to locate this datathere are also allowances for several exemptions such as privileged material or instances where the data of one subject cannot be separated from the data of another. However, reasonable searches is not a particularly low threshold and greatly depends on the resources available to the Data Controller. 

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

Companies should exercise huge caution when responding to SARS, in our experience we have seen countless examples of inadvertent sharing of someone else’s personal data or the withholding of personal data for illegitimate reasons.  

This growing trend of SARs continues to extend beyond the internal grievance/disciplinary processes and into the employment tribunal. Unsurprisingly, this can lead to an overlap with each party’s disclosure obligations. It is crucial that the matters are seen as separate and exclusive, as in certain circumstances, this can result in confusion or an unwillingness for the Data Controller to respond. This is highlighted by a recent Enforcement Notice published by the ICO

This is the first enforcement notice relating to a company’s refusal to comply with a SAR and should come as strong warning to employers who choose not to respond to requests adequately and in line with the guidance.  

In summary, the data subject made a request at a similar time to initiating proceedings at an employment tribunal. The Controller wrongly assumed that any disclosure, whether through the employment proceedings or the subject access, where one and the same and repeatedly failed to respond to the request.  

The Controller stated that: “You only have any right to relevant information to your claim, not a wish list of documents which you have no need to see even if some of them existed. As indicated, I will provide all required information related to your claim when instructed to do so by the Tribunal.”  

Despite repeated requests from the ICO, the Data Controller failed to acknowledge the rights of the Data Subject, that the tribunal disclosure was a separate exercise, and that the right of access must be complied with. As such, the ICO submitted the enforcement notice, a name-and-shame of those with poor data protection practices, and also further instructions for the Data Controller to respond appropriately, and “to carry out such changes to its internal systems, procedures and policies as are necessary to ensure that future subject access requests …. are identified and complied with in accordance with Article 15 of the UK GDPR”. 

We know that the ICO wields very strong powers. As this is one of the first of its kind, it shows that they are closely monitoring response to DSARs; we expect this to be the first of many.  

Our team are experienced in advising companies on how to respond and deal with SARs. We understand the complexities that surround them and ensure that the Data Subject receives what they are entitled to. 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

About this article

Read, listen and watch our latest insights

art
  • 19 April 2024
  • Employment

Amanda Glover comments on ‘Employment law isn’t working for anyone’ for HR Magazine

In HR magazine, Amanda Glover, Associate at Clarkslegal responds to the recent article titled ‘Employment law isn’t working for anyone’ by Libby Purves in The Times last week.

art
  • 17 April 2024
  • Immigration

Shaping Britain’s Future: updates to Skilled Worker and Family visas

In December 2023, the UK government, under Home Secretary James Cleverly, announced a five-point plan aimed at reducing net migration, with significant revisions to visa regulations.

art
  • 17 April 2024
  • Employment

‘Injured feelings’- Vento Bands price increase 2024

Injuring someone’s feelings through acts of discrimination, harassment or victimisation can be a costly business.

art
  • 17 April 2024
  • Employment

FAQs on the long awaited amendments to Statutory Paternity Leave

This April has seen a wave of new family friendly rights come into force. Amongst these, is the long awaited amendments to Statutory Paternity Leave.

art
  • 10 April 2024
  • Employment

New Guidance: Confidence to Recruit

The new Government guide in collaboration with the CIPD aims to give employers the confidence to recruit its workforce from a wider range of people including those who may have been overlooked in the past as a problem rather than an asset.

art
  • 03 April 2024
  • Employment

FAQ’s on the new Carer’s Leave Act

Beginning on 6 April 2024, the Carer’s Leave Act comes into force, meaning carers are now entitled to request 1 week’s unpaid leave to care for their dependants.