Search

How can we help?

Icon

ICO publishes enforcement notice after SAR failure

Subject Access Requests (SARs) are on the rise as more and more data is collected for social, personal and work purposes. In particular, we have noticed a significant increase within the context of employment and/or workplace disputes.  

DSARs are no longer exclusively the tool of those interested in how and what data is being processed. Instead aggrieved or disciplined, current or former employees are exercising their Article 15 (of the UK GDPR) right of access in order to review emails, notes (as long as this is processed), minutes of meetings, and anything else that includes their personal data.  

Companies should exercise huge caution when responding to SARS, in our experience we have seen countless examples of inadvertent sharing of someone else’s personal data or the withholding of personal data for illegitimate reasons.  

It is widely recognised that responding to such requests can be a huge burden on employers, depleting both financial and human resources. This is particularly prevalent where the employee has been employed for a significant amount of time and their submitted SAR is a general one for ‘all my personal data’.  

Whilst Data Subjects are entitled to this, the ICO mitigates the Data Controller’s obligations by only expecting them exercise reasonable searches to locate this datathere are also allowances for several exemptions such as privileged material or instances where the data of one subject cannot be separated from the data of another. However, reasonable searches is not a particularly low threshold and greatly depends on the resources available to the Data Controller. 

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

Companies should exercise huge caution when responding to SARS, in our experience we have seen countless examples of inadvertent sharing of someone else’s personal data or the withholding of personal data for illegitimate reasons.  

This growing trend of SARs continues to extend beyond the internal grievance/disciplinary processes and into the employment tribunal. Unsurprisingly, this can lead to an overlap with each party’s disclosure obligations. It is crucial that the matters are seen as separate and exclusive, as in certain circumstances, this can result in confusion or an unwillingness for the Data Controller to respond. This is highlighted by a recent Enforcement Notice published by the ICO

This is the first enforcement notice relating to a company’s refusal to comply with a SAR and should come as strong warning to employers who choose not to respond to requests adequately and in line with the guidance.  

In summary, the data subject made a request at a similar time to initiating proceedings at an employment tribunal. The Controller wrongly assumed that any disclosure, whether through the employment proceedings or the subject access, where one and the same and repeatedly failed to respond to the request.  

The Controller stated that: “You only have any right to relevant information to your claim, not a wish list of documents which you have no need to see even if some of them existed. As indicated, I will provide all required information related to your claim when instructed to do so by the Tribunal.”  

Despite repeated requests from the ICO, the Data Controller failed to acknowledge the rights of the Data Subject, that the tribunal disclosure was a separate exercise, and that the right of access must be complied with. As such, the ICO submitted the enforcement notice, a name-and-shame of those with poor data protection practices, and also further instructions for the Data Controller to respond appropriately, and “to carry out such changes to its internal systems, procedures and policies as are necessary to ensure that future subject access requests …. are identified and complied with in accordance with Article 15 of the UK GDPR”. 

We know that the ICO wields very strong powers. As this is one of the first of its kind, it shows that they are closely monitoring response to DSARs; we expect this to be the first of many.  

Our team are experienced in advising companies on how to respond and deal with SARs. We understand the complexities that surround them and ensure that the Data Subject receives what they are entitled to. 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

About this article

Read, listen and watch our latest insights

Pub
  • 10 December 2024
  • Corporate and M&A

The Business Boardcast: Company Secretarial Updates

Join Stuart Mullins from Clarkslegal and Nicky Goringe Larkin from Goringe Accountants and Succession Planning as they discuss helping business owners and directors stay compliant with key company secretarial updates.

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 December 2024
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 09 December 2024
  • Corporate and M&A

UK Directors’ Responsibilities

On becoming a director of a company, directors undertake to comply with various duties and responsibilities. which are specified in the Companies Act 2006. In this article, we will explain how you can comply with these practical responsibilities.

art
  • 09 December 2024
  • Commercial Real Estate

What happens to a sublease when the headlease is surrendered, forfeited or disclaimed?

The intermediate tenant under the headlease falls away and the tenant under the sublease becomes the direct tenant of the superior landlord.

art
  • 09 December 2024
  • Employment

Mistletoe and Missteps: Preventing Harassment at Christmas Parties

As the festive season approaches, offices are coming together for their annual Christmas parties, offering a chance to unwind and celebrate the year’s achievements. However, whilst these events provide a necessary release and recognition of employee’s contributions, they also present a heightened risk of inappropriate behaviour, particularly sexual harassment.