Subject Access Requests (SAR) — new guidance

The Information Commissioner’s Office (ICO) has recently published a new subject access request Q&A for employers. The guidance sets out some practical guidance on some of the areas of concerns arising from responding to SARS.

We set out some of the key points from this helpful guidance based on the queries that we receive when complying with SARs from employees.

What is a Subject Access Request?

A Subject Access Request gives an individual the right to obtain a copy of their personal information from the organisation. This includes where the organisation received the information from the reason it is being used and if it is or has been shared. The request does not have to be in any particular format and can be

• “Please send me my HR file”,
• “Can I have a copy of the notes from my last appraisal”,
• “What information do you hold on me?”
• “Can I have a copy of the emails sent by my manager to HR regarding my verbal warning?” .

The information must be provided within one month from date the request has been received. However, this can be extended by up to two months if the SAR is complex. The guidance confirms that organisations can clarify requests and that the time limit for responding is paused until a response is received, but that should only be used where it is genuinely required.

When can information be withheld?

Often the information that has been requested includes information about a third party. The legislation confirms that you do not have to comply, if the disclosure identifies someone else, except where:

• They consent to the disclosure;
• It is reasonable to comply with the request without consent.

Examples would be witness statements taken during the course of disciplinary or grievance proceedings, or whistleblowing reports.

The guidance states that consideration should be given to whether the individuals have provided consent, or requested to remain anonymous and whether appropriate redaction could be made to the statement to allow for partial disclosure without the disclosing the identity of the individual, and whether the individual had been assured of any confidentiality.

What about information requested during a grievance process.

The guidance has confirmed that, even if you believe that the individual has made the request to find information to assist with future litigation,  you are required to provide information even if the individual is going through litigation or a grievance process.

What about emails that the requester has been copied into?

Some organisations do not disclose such information as the requester has been copied into the email and therefore has had sight of it. The guidance suggests that organisations must consider what information the email contains and ultimately it will depend on the content of the email and the information is contains. The example provided in the guidance “a worker requested copies of all emails containing their personal information. The emails include an invitation, along with colleagues, to a team event to award team members who had closed the most cases. The email also contained “a league table” with the top five best performing team members.  As the content relates to the worker, the email counts as their personal information and should be disclosed. However you should redact the names of other people included in the email before disclosing it.”

Should/Can CCTV footage be disclosed?

Yes; in most cases CCTV footage will include images of other people. The organisation should attempt to extract only the images of the requester or alternatively provide stills of the images.