WHEN TO SAY “NO” TO A SUBJECT ACCESS REQUEST?
Does this sound familiar?
An employee has raised a grievance, or a former employee is threatening to launch an Employment Tribunal claim. You receive a Subject Access Request (“SAR”) from the (ex-)employee requesting a mountain of documents many of which appear to be of no relevance to the grievance or claim.
Must you comply with SAR?
Before throwing the SAR in the bin, you need to think again… The Information Commissioner’s Office (“ICO”) has published guidance which you may find helpful in deciding whether to comply with SAR. Before doing so, you may wish to review the overall legal requirements which remain unchanged. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
The recent ICO guidelines simply clarify certain aspects of the law. When considering your response to the SAR, consider the following:
Is it “clearly or obviously unreasonable”?
What is the context in which it has been made?
Is the intent behind the request genuine?
How much management time will be required to provide the requested information?
What will it cost?
Is the (ex)employee simply trying to inconvenience the company or apply pressure on It in order, for example, to induce the company to settle a claim?
“Our legal team has seen an increase in vexation SARs over the last year and they are on the increase. Disgruntled employees are making requests as a matter of course with the sole intention of inconveniencing the employer for the purposes of financial gain.”
Has the information already been disclosed as a result of a previous SAR or otherwise?
Be careful if you are minded to reject the request Just because SAR is for a considerable amount of information, and will include a lot of work, the guidelines make it clear that the SAR must be “manifestly unfounded” or “manifestly unreasonable”. Do not reject it solely on the ground that it is excessive. Instead, consider the context of the SAR, the organisation’s resources and take advice if necessary. Having done so, if the decision is made to reject all or part of the SAR because it is manifestly unfounded or excessive, keep a record of the decision-making process and your reasons for refusal. Those reasons should be set out in a letter to the individual along with a reminder of their rights to make a complaint to the ICO and to bring legal proceedings against the organisation to enforce those rights.
FGS’ legal team includes specialists in data protection and privacy law, which enables us to advise on GDPR compliance including commercial contracts, policies and procedures, data breaches, subject access requests and privacy issues.
If you require further advice about data protection, please feel free to call us on 0808 172 9322 for a no obligation discussion.
For further details about the commercial legal service and assistance we provide to businesses, please click here. 👇
This update is for general guidance only and advice should be taken in relation to a particular set of circumstances.