APIs UK information commissioner’s office publishes new guidance on data subject access requests

Written by Holly Spiers | Apr 19, 2023 11:00:00 AM

On May 24, 2023, the UK's Information Commissioner's Office (ICO) released an invaluable guide to assist employers in handling DSARs effectively. This guide comes in response to a surge in complaints regarding DSARs, which underscores the importance of getting it right. In this blog, we will delve into what DSARs are, their significance, and explore the key highlights of the ICO's new guidance.

Understanding Data Subject Access Requests (DSARs)

DSARs, or Data Subject Access Requests, grant individuals the right to request access to their personal information held by organisations. These requests have increasingly become strategic tools for employees seeking information, often amid disputes or grievances. Businesses must respond to DSARs within one month of receipt, although this timeframe can be extended by up to an additional two months for complex requests or multiple submissions by the employee.

"We couldn't ask for a better turnaround time when we've got queries or when our candidates have got queries as well. And it's a swift solution as well. So, it's not just the response time, but the solution provision is really good."

Understanding Data Subject Access Requests (DSARs)

DSARs, or Data Subject Access Requests, grant individuals the right to request access to their personal information held by organisations. These requests have increasingly become strategic tools for employees seeking information, often amid disputes or grievances. Buisnessses must respond to DSARs within one month of receipt, although this timeframe can be extended by up to an additional two months for complex requests or multiple submissions by the employee.

The Challenges of DSARs

Handling DSARs can be a complex and resource-intensive process. Employers must strike a delicate balance between upholding employees' right of access, safeguarding sensitive corporate information, protecting other individuals' data, and applying legal exemptions appropriately. Failure to comply with DSARs can lead to severe consequences, including fines, reprimands, and reputational damage, making it imperative for organizations to navigate them effectively.

The ICO's New Guidance

The ICO's recent guidance provides practical insights for employers facing common challenges when responding to DSARs. While it doesn't introduce groundbreaking concepts, it offers clarity on various tricky areas, such as:

- Disclosure of Witness Statements: The guidance advises on handling requests for witness statements used in internal disciplinary actions or investigations.
- Whistleblowing Reports: It outlines considerations when disclosing whistleblowing reports.
- Legal Exemptions: The guide delves into the application of existing legal exemptions, including confidential references, privilege, management information, and negotiations with the requester.
- Manifestly Excessive Requests: Employers can refuse DSARs that are deemed manifestly excessive, and the guidance helps define this criterion.
- NDA or Settlement Agreements: The guidance clarifies whether organisations still need to comply with DSARs when individuals have signed non-disclosure agreements or settlement agreements.
- Employment Tribunal or Grievance Process: Contrary to misconceptions, businesses are still obligated to fulfil DSARs when individuals are involved in employment tribunals or grievance processes.
- Emails Involving the Worker: It provides guidance on handling emails in which the worker is copied.
- Social Media Searches: The guide addresses the complexities of conducting searches on social media platforms used in the workplace, such as Facebook, WhatsApp, and Twitter.
- CCTV Footage Requests: Finally, the guidance outlines how organisations should respond to requests for CCTV footage.

For more detailed information, you can read the original article published by Littler via this link: Original Article.

View full post