ICO publishes enforcement notice after SAR failure

Subject Access Requests (SARs) are on the rise as more and more data is collected for social, personal and work purposes. In particular, we have noticed a significant increase within the context of employment and/or workplace disputes.  

DSARs are no longer exclusively the tool of those interested in how and what data is being processed. Instead aggrieved or disciplined, current or former employees are exercising their Article 15 (of the UK GDPR) right of access in order to review emails, notes (as long as this is processed), minutes of meetings, and anything else that includes their personal data.  

Companies should exercise huge caution when responding to SARS, in our experience we have seen countless examples of inadvertent sharing of someone else’s personal data or the withholding of personal data for illegitimate reasons.  

It is widely recognised that responding to such requests can be a huge burden on employers, depleting both financial and human resources. This is particularly prevalent where the employee has been employed for a significant amount of time and their submitted SAR is a general one for ‘all my personal data’.  

Whilst Data Subjects are entitled to this, the ICO mitigates the Data Controller’s obligations by only expecting them exercise ‘reasonable searches‘ to locate this data; there are also allowances for several exemptions such as privileged material or instances where the data of one subject cannot be separated from the data of another. However, ‘reasonable searches‘ is not a particularly low threshold and greatly depends on the resources available to the Data Controller. 

This growing trend of SARs continues to extend beyond the internal grievance/disciplinary processes and into the employment tribunal. Unsurprisingly, this can lead to an overlap with each party’s disclosure obligations. It is crucial that the matters are seen as separate and exclusive, as in certain circumstances, this can result in confusion or an unwillingness for the Data Controller to respond. This is highlighted by a recent Enforcement Notice published by the ICO. 

This is the first enforcement notice relating to a company’s refusal to comply with a SAR and should come as strong warning to employers who choose not to respond to requests adequately and in line with the guidance.  

In summary, the data subject made a request at a similar time to initiating proceedings at an employment tribunal. The Controller wrongly assumed that any disclosure, whether through the employment proceedings or the subject access, where one and the same and repeatedly failed to respond to the request.  

The Controller stated that: “You only have any right to relevant information to your claim, not a wish list of documents which you have no need to see even if some of them existed. As indicated, I will provide all required information related to your claim when instructed to do so by the Tribunal.”  

Despite repeated requests from the ICO, the Data Controller failed to acknowledge the rights of the Data Subject, that the tribunal disclosure was a separate exercise, and that the right of access must be complied with. As such, the ICO submitted the enforcement notice, a name-and-shame of those with poor data protection practices, and also further instructions for the Data Controller to respond appropriately, and “to carry out such changes to its internal systems, procedures and policies as are necessary to ensure that future subject access requests …. are identified and complied with in accordance with Article 15 of the UK GDPR”. 

We know that the ICO wields very strong powers. As this is one of the first of its kind, it shows that they are closely monitoring response to DSARs; we expect this to be the first of many.  

Our team are experienced in advising companies on how to respond and deal with SARs. We understand the complexities that surround them and ensure that the Data Subject receives what they are entitled to.