New ICO guidance for employers responding to data subject access requests
By Noirin M. McFadden and Claude-Étienne Armingaud
Today, the UK data protection regulator, the ICO, has published guidance to assist employers in responding to data subject access requests (DSARs) from current and former employees. DSARs have become the primary tool for employees attempting to gain leverage against employers during a dispute or grievance process: they can be extremely time-consuming and resource intensive for employers to deal with, and it is a difficult balance to strike between upholding employees’ right of access under the UK GDPR and applying exemptions from disclosure in an appropriate way.
The new guidance covers issues that often occur when employers try to strike this balance, and notably:
- How the DSAR response process interacts with an ongoing tribunal or grievance process involving the employee making the request – The guidance makes clear that in this situation, the employer must deal with the DSAR, despite the risk that some of the personal data provided could circumvent the litigation disclosure process;
- Enshrining one of the limited exceptions to oppose complying with a DSAR, by considering that where an employee offers to withdraw a DSAR in return for a higher settlement payment, this could be evidence that the DSAR is “manifestly unfounded.”
A common issue for employers in responding to DSARs is how to handle the large amount of emails that a search may turn up on which the only relevant personal data is the employee’s name and email address in copy. The guidance notes that context will be relevant, so employers should assess and determine in each case whether the content of such emails qualifies as the employee’s personal data.
Overall, the new guidance is likely to provide welcome clarification for employers who find themselves in some of these common situations.