Employees can submit subject access requests via ICO website
18 December 2023
The Information Commissioner’s Office (ICO) website now includes a tool for drafting and sending a subject access request (SAR) to an organization. It is likely that employers will start to receive requests directly via this platform, although employees remain free to submit requests in other ways.
An online SAR submission service was promised by the ICO in the ICO25 strategic plan as follows:
[W]e will develop a subject access request tool to help people make requests in ways which will help organisations to respond effectively. The tool will help people identify where to send their requests and explain what they should expect. The receiving organisation will receive information from the ICO to help them respond quickly and simply.
The SAR submission form, which can be viewed here, contains blank fields for all the required and optional information, with guidance on what to include and how to define the scope of the request as precisely as possible. The request cannot be submitted unless the required fields are completed.
Once the form is completed, the request can be previewed and sent directly to the organization via the ICO website. Both the organization and the sender will receive a copy of the request via email. The covering email also contains a brief summary of the organization’s obligation to respond, the default deadline for responding (1 month), the right to clarify the request, and a link to more comprehensive guidance.
The ICO states that this version of the service is a first iteration and will be improved subject to user feedback. Any request received via the tool includes a link for providing feedback to the ICO.
The guidance provided for requesters on the webform, which encourages the provision of detailed information about the nature and scope of the request, may reduce the number of requests which need to be clarified by recipients or which appear to be unclear or unintentionally broad in their scope. The guidance also suggests that requesters obtain an appropriate email address from the recipient organization’s privacy policy, which may reduce the risk to employers of requests being sent to inapt recipients (which is not a defence to failing to respond). Any requests submitted via the tool will be received as an email from noreply@ico.org.uk with the subject line ‘Subject access request from [NAME]’ which may, again, reduce the risk to an employer of simply not noticing a request. There is no proposal, however, to restrict requests to this platform; in fact, there are no restrictions in principle whatsoever on the form, content, or medium of a SAR, so organizations will need to remain vigilant.
Apart from the basic guidance included in the ICO’s covering email, which would help an employer who was unfamiliar with their obligations, it is not obvious that this tool will help employers to respond any more ‘quickly and simply’ as per one of the stated aims in the ICO25. Any reply must be sent to the requester directly in accordance with the current rules (the service does not modify the existing legal framework), and the email is sent by the ICO automatically on behalf of the individual without any verification of their identity, verification of the organization’s contact details, or any other vetting. As acknowledged by the ICO, this introduces an additional layer of complication for the recipient in verifying the identity of the sender, which is recommended.
The ICO has also recently published guidance for employers on responding to SARs, which we summarize in a separate article here.
How we can help
For further information or advice on responding to a SAR, please contact the team at Synchrony Law.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.
External publications