The Information Commissioner ('ICO') has issued a new Code of Practice setting out comprehensive guidance for the handling of subject access requests (SARs). It helpfully updates how to recognise, deal with and respond to a SAR and clarifies how data controllers, often the employer of the data subject making the request, are expected to behave when receiving a SAR. It also suggests good practice for organisations and employers to demonstrate that they take a positive approach to subject access. The Code modifies existing guidance, particularly about personal data held in email accounts and on devices such as laptops and smartphones owned by employees and used in the course of their employment. In this article, we review how to handle a SAR, highlighting important changes and suggest key practical points for employers.
What is a Subject Access Request?
To recap, under s.7 of the Data Protection Act 1998 (DPA), individuals have the right to see copies of the personal data an organisation holds about them, why this information is held, and to whom it may be disclosed. 'Personal data' means data relating to a living individual or from which that individual can be identified - either on its own or with other information likely to come into the possession of the data controller. An organisation has 40 days to respond to the SAR.
What information is an individual entitled to?
The Code of Practice confirms clarifies that an individual is entitled to be told whether any of their personal data is being processed, the reason for the processing, and whether it will be given to any other people or organisations. Individuals should also be given a description of the data and are entitled to know its source. 'Personal data' can be data held in electronic form or in a 'relevant filing system'. Paper records count as a relevant filing system for the DPA if they are held in a 'sufficiently systematic, structured way'. If paper records are held in no particular order (for example in an unindexed file), they may not be subject to the right of access. Most HR records will now be held electronically, easily accessible, and therefore qualify as 'personal data'.
Recognising a SAR
The Code of Practice confirms that a request for personal data must be made in writing, but does not have to be in a particular form, or contain the words 'subject access', or refer to the DPA. Employers should assess the potential for SARs to be received through social media such as the company Facebook or Twitter and "take reasonable and proportionate steps to respond effectively to requests received in this way". Data controllers are entitled to satisfy themselves as to the identity of the person making the request, so an employee who makes a SAR through social media will also need to confirm it separately, for example in writing or in person, and of course the £10 fee must be paid.
Finding and retrieving information
Guidance is provided on the steps an organisation or employer should take to find and retrieve relevant information. The DPA does not permit the exclusion of information in response to a SAR merely because it is difficult to find, and expressly states that extensive efforts to find and retrieve relevant information should be made. The Code states that as it is difficult to truly erase all electronic records, a data subject may be entitled to personal data that an employer does not have ready access to as long as it stills holds the data and in time and with technical expertise can retrieve it. Employers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up, for example in the Cloud.
Information stored on personal devices
The Code suggests that employers should have a policy restricting the circumstances in which staff may hold information about customers, contacts, or other employees on their own devices or in private email accounts. If an employer permits employees to hold personal data on their own devices, the employees may be processing that data on the employer's behalf, in which case such data could fall within the request for a SAR made by another employee. The Code does however recognise that the purpose for which the information is held is relevant and that employers would not be expected to instruct employees to search their private emails or personal devices unless the employer has good reason to believe they are holding personal data relevant to the request. All employers should check that their Bring Your Own Device policy is comprehensive in taking account of all possible ways in which data may be held by employees and also enables easy compliance with the requirements of a SAR.
SARs and third parties
Responding to a SAR may involve providing information relating to another individual. Under the DPA, an employer is not required when complying with a SAR to disclose information about another individual (e.g. another employee) who can be identified from that information, unless the other individual has consented to the disclosure, or it is reasonable in all the circumstances to comply with the request without that individual's consent, decided on a case by case basis. The decision will involve balancing the data subject's right of access to personal data with the other employee's rights in respect of their own personal data. An employer should consider whether a duty of confidentiality is owed to the third party, and also any stated refusal of consent.
In the employment relationship information that is not generally available to the public may have been disclosed to the employer with the expectation that it will remain confidential, an obvious example being in a letter or email marked 'Confidential'. Depending on the circumstances, it may be possible to provide some information, having redacted the document by blanking out the data that would identify the other employee or otherwise breach confidentiality.
Supplying information to the data subject
Personal data that is relevant to the request should be communicated to the subject in an intelligible form, and a copy should be supplied in a permanent form. However, the employer is not required to produce the relevant information in permanent form where the data subject agrees to another format or when the supply of such a copy would involve disproportionate effort. This exemption can be most relevant where a large volume of data is concerned.
The DPA recognises that there are circumstances in which an employer may have a legitimate reason for not responding in full to a SAR. The Code lists actual examples, such as confidential references given for the purposes of an employee's training or employment. References received from a third party do not benefit from this exemption. Personal data that is processed for management forecasting or disclosure of which would be likely to prejudice the business or other activity of the organisation is also exempt. For example, if an employer is planning a redundancy exercise and an employee makes a SAR before the process starts, the company does not have to disclose its plans in response to the SAR if doing so would, as is likely, prejudice the conduct of the business. Some Organisations which perform regulatory activities such as the protection of the public or charities, or fair competition in business can withhold personal information on the receipt of a SAR.
SARs in legal proceedings
Personal data for which legal professional privilege can be claimed in legal proceedings is also exempt. This means as long as they are clearly privileged that emails and letters between HR and their advisers do not have to be provided in response to a SAR. Employers should ensure that they mark these communications appropriately. Where, however, privilege cannot be claimed, an employer may not refuse to supply information in response to a SAR simply because it is requested in connection with actual or potential legal proceedings. The DPA provides that the right of subject access overrides any other legal rule that limits disclosure. The Code, however, recognises a discrepancy between the DPA and case law. The courts have decided that the SAR régime is not a substitute for the disclosure process during litigation. The Code records that the Information Commissioner does not accept this view but recognises that the courts have discretion whether or not to order compliance with a SAR. If a court believes that the provision of information is best dealt with in disclosure in connection with legal proceedings it may refuse to order personal data to be disclosed in response to a SAR.
An employee who believes they are affected by the processing of personal data may ask the ICO to assess whether that processing complies with the DPA. A compliance assessment is carried out by the ICO and if it shows that an organisation has failed to comply with the DPA, the ICO can require that it takes steps to comply with the data protection principles. The Information Commissioner may also serve an enforcement notice if he is satisfied that an organisation has failed to comply with the subject access provisions. Failure to comply with an enforcement notice is a criminal offence. He also has a statutory power to impose a financial penalty on an organisation if satisfied that the organisation has committed a serious breach of the DPA likely to cause substantial damage or distress. An individual may also apply for enforcement by court order. If an individual suffers damage because their employer or organisation has breached the DPA, they can claim compensation in the courts from the employer or organisation.
Ten simple steps when processing a SAR
The Code sets out a 10-step process which employers should ensure they follow when processing a SAR:
- Identify whether a request qualifies as a SAR.
- Ensure there is enough information to verify the data subject's identity – not likely to be an issue for employers.
- Ask for any further information needed from the employee to find out what they want at an early stage.
- Ask for the fee promptly.
- Check whether the information the employee wants is available
- Not change any relevant data, even if it is inaccurate or embarrassing.
- Consider whether the relevant records contain information about other people.
- Consider whether any of the exemptions apply.
- Explain any complex terms or codes in the information disclosed.
- Provide the response in a permanent form, where appropriate.
To this, we add that all employers should – in any event – check their Bring Your Own Device policy and also review their protocols for communication between HR and external advisors.
Further guidance on the ICO's Code of Practice can be found here.