The Information Commissioner’s Office (ICO) has published new guidance for businesses and employers on responding to Subject Access Requests (SARs). The right of access, commonly referred to as a subject access request or SAR, gives someone the right to request a copy of their personal information from organisations. This includes where they got their information from, what they’re using it for and who they are sharing it with.
Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. Failing to comply to SARs is non-compliant with the law. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.
Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office said:
“The right of individuals to access information that organisations hold on them is one that is vital for transparency, and is enshrined in law. What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally-binding request. Similarly, employers may not realise that there is a strict timeframe for responding to requests, and this must be kept to.
“It’s important to not get caught out, and that is why we are publishing this guidance – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired. For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”
Subject access requests form part of the UK General Data Protection Regulation (GDPR) and the DPA (Data Protection Act). From April 2022 to March 2023, 15,848 complaints related to subject access were reported to the Information Commissioner’s Office. The new guidance on responding to SARs can be read here.