New ICO guidance on responding to subject access requests
13 July 2023
The Information Commissioner’s Office (ICO) has recently published new guidance for employers on responding to subject access requests (SARs).
The guidance takes the form of a highly comprehensible Q&A clarifying areas of possible misapprehension and providing examples of how to respond to tricky requests in practice.
The Q&A incorporates guidance on:
the very broad scope of what may count as a SAR, which in principle incorporates any request for personal information, whatever the format and whether or not referring explicitly to subject access rights
responding to requests which would (if fulfilled) conflict with other data subjects’ rights, with examples of when to redact information and when to refuse to disclose it entirely
identifying requests which are ‘manifestly unfounded or excessive’ – this is a high bar, but a request may be manifestly unfounded if, for example, the employee states that they will withdraw it in return for compensation
situations in which the management information exemption, confidentiality considerations or one of the types of legal privilege may allow a request to be refused
responding to SARs during tribunal or grievance proceedings – generally, neither litigation nor internal disciplinary procedures will make it possible to halt the process of responding to a SAR, although they may cause some information to become privileged
disclosing CCTV footage – generally, other data subjects must be redacted; it is difficult to refuse to disclose footage altogether
How we can help
For more guidance on how to respond to an employee’s SAR, contact the team at Synchrony Law.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.
External links