The ICO exists to empower you through information.

Subject access request Q and As for employers

Share

What is the right of access?

The right of access, commonly referred to as a subject access request (SAR), gives someone the right to obtain a copy of their personal information from your organisation. This includes where you got their information from, what you’re using it for and who you are sharing it with.

You must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests.

Our right of access guidance explains your obligations under data protection law in further detail.

Further reading -ICO guidance

Right of access

Do people have to submit a request in a certain format?

No. The UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. Workers can make requests to any part of your organisation, and they do not have to direct it to a specific person or contact point. However, you should have a designated person, team and email address for SARs.

You should ensure that your staff are aware of what to do if they receive a SAR.

It’s important to note that a request does not have to include the phrases ‘subject access request’, ‘right of access’ or ‘Article 15 of the UK GDPR’. It just needs to be clear that they are asking for their own personal information.

Examples of SARs

‘Please send me my HR file.’

‘Can I have a copy of the notes from my last appraisal?’

‘What information do you hold on me?’

‘Can I have a copy of the emails sent by my manager to HR regarding my verbal warning’?

Further reading - ICO guidance

How do we recognise a subject access request (SAR)?

Can we clarify the request?

Yes. You could ask the worker to specify the information or processing activities they’re looking for before responding to the request. The time limit for responding to the request is paused until you receive clarification.

However, you should only seek clarification if:

  • it is genuinely required in order to respond to a SAR; and
  • you process a large amount of information about the worker.

Example

You have received a SAR from a worker you have employed for 20 years. Your organisation holds a lot of personal information about them. You immediately ask them if they want all their personal information or more specific information. The worker advises you that they require information about their latest appraisal. This reduces the amount of information you need to send them.

However, if the worker requests all of their personal information, and refuses to narrow down their request, you should carry out reasonable searches for their information to comply with the request.

Further reading -ICO guidance

Can we clarify the request?

When can we withhold information?

Under the UK GDPR, there are exemptions from the right of access that allow you to withhold some, or all, of the information requested. It is important to note that you must apply exemptions on a case-by-case basis and you must justify and document your reasons for relying on them.

You can also refuse to comply with a SAR if it is:

  • manifestly unfounded; or
  • manifestly excessive.

We’ve outlined some exemptions below and further information on manifestly unfounded and manifestly excessive that you may find relevant in an employment context. However, this is not an exhaustive list.

Information about other people

Personal information can cover more than one person. Therefore, responding to a SAR may involve providing information that is about both the requester and someone else.

The DPA 2018 says you do not have to comply with a SAR if doing so means disclosing information which identifies someone else, except where:

  • they consent to the disclosure; or
  • it is reasonable to comply with the request without that person’s consent.

To determine whether it is reasonable to comply without consent, you must consider all the relevant circumstances, including:

  • the type of information that you would disclose;
  • any duty of confidentiality you owe to the other person/people;
  • any steps you took to try to get the other person’s consent;
  • whether the other person is capable of giving consent; and
  • any stated refusal of consent by the other person.

Example

You have received a SAR for a copy of a worker’s HR file. The worker requested information specifically on the decision to not award a pay rise this year.

The file included notes from a meeting with HR, in which the manager and HR discussed the worker’s performance against the criteria set for the pay review.

To help them make their decision on the worker’s pay rise, the manager and HR also discussed their performance compared to other staff on the team and their proposed pay rises.

In response to the SAR, the employer provided the notes that directly related to the worker’s own performance, but redacted the details about the performance of others on the team. They explained to the worker why they had not provided all the information they requested.

Further reading – ICO guidance

 

Some examples of documents that may include information about other people are:

Witness statements

Witness statements, used for internal disciplinary or investigative issues in the workplace, usually include the personal information of more than one person. You must consider if you can disclose them. You do not have to comply with the request if it would mean disclosing information about another person, except if they consent to the disclosure or it is reasonable to comply without their consent.

To decide if it is reasonable to disclose the information, you must consider:

  • the reasonable expectations of the other person and, in particular, any duty of confidentiality you owe to them;
  • any express refusal of consent by the other person and whether they are capable of giving consent;
  • the type of information that you would disclose; and
  • in a work context, factors such as a person’s seniority and role. In general, it is more likely to be reasonable to disclose information about an employee acting in a professional capacity than a private citizen.

Example

You receive a request from a worker for copies of witness statements in response to an allegation of bullying towards a junior member of staff, in which the worker was allegedly involved. You asked for witness statements from colleagues who witnessed the incident on the basis that the statements would remain confidential.

In the first instance, you considered:

  • what personal information, either about the requester or the witnesses, was included in the statements.
  • that the witnesses had been assured of confidentiality by HR; and
  • whether you could redact the statements without disclosing the identity of the writer.

Having considered the above, you decided to not disclose the witness statements, on the basis that:

  • they were given with the expectation of confidentiality; and
  • redaction would not prevent the writer’s identity from being disclosed.

Whistleblowing reports

Whistleblowing is when a worker passes on information about wrongdoing they have witnessed or experienced usually, but not always, at work.

Disclosure of the alleged wrongdoing must be in the public interest. This means it must affect others, for example the general public.

A whistle blower’s report is likely to include information about those suspected of wrongdoing, as well as that of the informants or other third parties, such as witnesses.

In this instance, you must balance the requester’s right of access against the whistle blower’s rights.

It’s important to note that whistle blowers are protected by the Public Interest Disclosure Act 1998 (PIDA 1998). You must consider this alongside data protection legislation.

You must consider the rights of:

  • the requester, under the UK GDPR;
  • the whistle blower as a third party under the UK GDPR; and
  • the whistle blower under the PIDA 1998 - the right to make a protected disclosure.

Case study

A bank worker made a whistleblowing report to the Financial Conduct Authority, alleging financial fraud by their departmental manager.

The manager subsequently submitted a SAR to the HR department.

The bank decided that disclosing the whistleblowing report would prejudice the ongoing investigation into the alleged fraud and disclose the identity of the whistle blower, potentially subjecting them to negative treatment.

The bank decided not to disclose the whistleblowing report under exemptions in the UK GDPR for crime and taxation and identifying other individuals.

 

Further reading: ICO guidance

Public Interest Disclosure Act 1998

Confidential references

You may receive a SAR from a worker for references. These could cover references that you either provided to other organisations or that you received at the start of their employment.

However, under UK GDPR, confidential references are exempt, when provided for the purposes of:

  • education, training, or employment of someone;
  • someone working as a volunteer;
  • appointing someone to office; or
  • provision of any service by someone.

The exemption applies regardless of whether you give or receive the reference.

It is important to note that this only applies to references that you give in confidence. You should make it clear to workers and those providing references whether you treat them as confidential. You should do this in your privacy statement, staff handbook or policies. If these measures are in place, it’s likely you are complying with data protection legislation.

However, if it is unclear whether you are treating references as confidential, you should consider requests on a case-by-case basis, taking into account the following:

  • any clearly-stated assurance of confidentiality that you give to the referee;
  • any reasons the referee may give for withholding consent;
  • the likely impact of the reference on the requester;
  • any risk that disclosure may pose to the referee; and
  • the requester’s interest in being able to satisfy the accuracy and truthfulness of the reference.

Example

A worker is offered a new role in a new company, but after receiving a reference from your organisation, the job offer is withdrawn. The worker submits a SAR to you and the other company requesting a copy of the reference. Both yours and the other organisation’s privacy policy state that references are provided confidentially. This means that neither organisation has to disclose the references.

 

Example

A former worker requested a copy of the reference you provided to their new employer. The reference included details of the worker’s absence record. The reference also stated that you had issued the worker with a first written warning and had placed them on a performance improvement plan (PIP). The worker subsequently left the company before completing the plan or the warning expiring.

You considered that it was reasonable to disclose the reference, because:

  • it was a standard reference provided by HR;
  • it only contained factual information such as the number of absences and that they had a PIP in place;
  • your organisation has disclosed similar references to other workers in the past; and
  • you had informed the worker of the warning and PIP so they were already aware of the information.

Legal professional privilege

Legal professional privilege (LPP) protects certain confidential communications between lawyers and clients.

LPP is only available for communications that are:

  • confidential in nature;
  • unless you are considering litigation, just made between a client and a legal adviser acting in a professional capacity; and
  • made for the dominant purpose of obtaining or providing legal advice or being used by lawyers in possible or probable litigation.

Example

You suspect a member of staff of leaking confidential information to a competitor. You open an investigation and seek legal advice. The worker submits a SAR to find out what the legal advice is and if you are considering further action. You withhold the correspondence between you and your lawyer about the investigation under the legal professional privilege exemption.

Further reading - ICO guidance

Legal professional privilege

Crime and taxation

There are two parts to this exemption. The first part applies if you process personal information for the purposes of:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of a tax or duty or an imposition of a similar nature.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights including right of access (which covers making a SAR), except rights related to automated individual decision-making including profiling;
  • notifying people of personal data breaches;
  • the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
  • the purpose limitation principle; and
  • all the other principles, but only so far as they are about the right to be informed and the other individual rights.

But the exemption only applies if complying with a SAR would be likely to prejudice your crime and taxation purpose, as above. If this is not the case, you must comply with the UK GDPR as normal.

Example

A worker has been accused of assaulting a colleague on work premises. You have reported the alleged assault to the police, who are investigating. The worker submitted a SAR for CCTV footage showing the alleged assault. As the police are investigating the alleged assault, you decide not to disclose the footage. You use the crime and taxation exemption to refuse the request, as disclosing it may prejudice the investigation.

Management information

An exemption applies to personal information that you process for management forecasting or planning about a business or other activity. You could refuse to provide this information if disclosure is likely to prejudice the conduct of the business or activity.

You do not have to acknowledge that you hold this information. If you confirm or deny you hold the information, it may prejudice business conduct and cause potential issues with your staff.

Example

You are looking to restructure your business. You are likely to make some redundancies. Your staff hear about this, and some start making SARs asking the company if they’re in the selection pool for redundancy.

After carefully considering the request, you decide to withhold the information under the management information exemption. This is because if you confirm or deny you hold the requested personal information, it may prejudice the conduct of the business and cause staff unrest. You advise the workers that you cannot confirm nor deny you hold the information, using the management information exemption.

Further reading - ICO guidance

Management information

Negotiations with the requester

Personal information that is included in a record of your intentions in negotiations with one of your workers is exempt from the right of access. This only applies if complying with the SAR could prejudice the negotiation. However, this is only likely to apply whilst the negotiations are ongoing. If you receive another request after ending the negotiations, it may be difficult for you to apply this exemption. However, you must demonstrate how using the exemption would prejudice the negotiations.

Example

You are negotiating a severance package with a worker, which requires them to give up all their legal rights to pursue a claim in an employment tribunal.

The worker submits a SAR before the negotiations have completed. You refuse to disclose any personal information included in the negotiations as discussions are ongoing. You cite the ‘Negotiations with the requester’ exemption.

However, the worker submits another SAR after agreeing the settlement. You review the request and disclose the personal information, as you cannot evidence that the disclosure would prejudice your position in future negotiations.

Further reading - ICO guidance

Negotiations with the requester

Manifestly unfounded

A request may be manifestly unfounded if:

  • the worker clearly has no intention to exercise their right of access; or
  • the request is malicious in intent and is being used to harass your organisation with no real purpose other than to cause disruption. For example if the person explicitly states in the request itself or in other communications, that they intend to cause disruption.

Factors that may indicate malicious intent include:

  • making unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
  • targeting a particular employee against whom they have some personal grudge; or
  • systematically sending different requests to you as part of a campaign, for example, once a week, with the intention of causing disruption.

However, you should consider a request in the context in which they make it. If the person genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.

Example

A worker, after being made redundant, submits a SAR to you as their former employer. They state that they are making a SAR in accordance with the UK GDPR and will withdraw it if you can agree on an improved financial package. In this circumstance, you refuse to comply with the request as you consider it to be manifestly unfounded.

 

Example

A telecoms company received a number of SARs from former workers who were made redundant. The former workers were members of a Facebook group. The company refused to comply with the SARs on the basis they were manifestly unfounded. They believed the workers had been actively encouraged by the Facebook group to submit SARs to cause disruption to the company.

The former workers raised a complaint with the ICO. The ICO decided the organisation did not comply with their data protection obligations. They failed to demonstrate that the purpose of the SARs was to cause disruption. The company were advised to comply with the SARs.

Further reading - ICO guidance

Manifestly unfounded

Manifestly excessive

To determine whether a request is manifestly excessive, you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.

This means taking into account all the circumstances of the request, including:

  • the nature of the requested information;
  • the context of the request, and the relationship between you and the requester;
  • whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to someone;
  • your available resources;
  • whether the request largely repeats previous requests, and a reasonable interval hasn’t elapsed; or
  • whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).

A request is not necessarily excessive just because someone requests a large amount of information. As stated above, you should consider all the circumstances of the request. You could also consider asking them for more information to help you locate the information they want and whether you can make reasonable searches for the information. Please see ‘Can we clarify the request?’ and ‘What efforts should we make to find information?’.

You should consider the following when deciding whether a reasonable interval has elapsed:

  • the nature of the information, this may include whether it is particularly sensitive; and
  • how often you alter the information – if it’s unlikely that the information has changed between requests, you could decide you do not need to respond to the same request twice. However, if you have destroyed information since the last request, you must inform them.

Example

You are the owner of a small business, employing four members of staff. You receive a SAR from a former worker requesting all the information you hold.

An initial research results in 3,000 emails containing the worker’s personal information.

You consider the request to be manifestly excessive. You contact the ICO for further advice. The ICO recommends:

  • requesting clarification from the worker to narrow down the search;
  • reviewing the emails for those which only contain the name, email address and signature; and
  • considering whether you can supply this information in a summary, for example ‘1000 emails contain only your name, email address, and signature.’

You decided to provide a summary of information.

 

Example

A former worker submitted a SAR requesting all their personal information processed during their employment. The company provided an electronic copy of the personal information to the worker as agreed. The worker subsequently submitted another SAR and asked you to resend the information in hard copy format and in chronological order. The company refused the request, citing it as manifestly excessive, because:

  • you had already supplied all the personal information in an electronic copy as agreed with the worker;
  • no new personal information had been generated since you issued the first SAR response; and
  • you provided the information in a clear and intelligible format.

The former worker raised a concern with the ICO. On review of the information provided, we considered that the organisation had lawfully applied the exemption.

Further reading - ICO guidance

Manifestly excessive

Do we have to advise the requester if we are withholding information?

This depends on the circumstances of each case. In some circumstances, it may not be appropriate to tell the requester that you are withholding personal information. For example, if this would prejudice the purpose of the exemption. Wherever possible, you must be as transparent as possible.

Example

You receive a SAR from a worker requesting all their personal information. You are investigating the worker for alleged fraud and decide to withhold all the information about the investigation under the crime and taxation exemption. In this instance, it would not be appropriate to inform the worker as it would be likely to prejudice the investigation as the worker may destroy evidence. You supply the worker with most of their personal information but withhold the information about the investigation.

Do we have to comply with a SAR if the worker has signed a non-disclosure or settlement agreement?

Yes. People have the right to obtain a copy of their personal information from you. This right cannot be overridden by a settlement or non-disclosure agreement.

If a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights.

Do you need to comply with a SAR if the worker is going through a tribunal or grievance process?

Yes. People have the right to obtain a copy of their personal information from you.

You cannot simply refuse to comply because the worker is undergoing a grievance or tribunal process, and you believe they intend to use their personal information to obtain information for potential litigation. If you believe it isn’t appropriate to disclose the relevant information, you must demonstrate what exemption you are using and why.

It is important to note that whilst there may be separate rules for disclosing information in the course of a tribunal, you must comply with a SAR. This applies even if there may be some cross-over in the information supplied.

However, even if you have already disclosed the information through another statutory process, such as in employment tribunal proceedings, this does not mean you can refuse to comply with a SAR.

Documents disclosed for the purposes of the litigation may not contain all the worker’s personal information. Alternatively, the worker may have only been allowed to view the information rather than receive a copy. In this instance, you must review the request and, where possible, provide them with a copy of their information.

You may also hold other personal information that was either not required to be disclosed at the time of the tribunal or did not exist at the time. You could potentially disclose this information under a SAR, particularly if you did not disclose it during the tribunal proceedings.

You should also bear in mind that the information disclosed during the tribunal proceedings is given to the worker’s legal representative and not to the worker. You cannot assume that the worker can access any or all the information, just because you have provided it to their lawyer. They may also have changed their legal representative during the case. You should carefully consider the circumstances of the request and must ensure you provide all the worker’s personal information that they’re entitled to.

Example

A worker is taking your organisation to tribunal, claiming unfair dismissal. You provided their legal representative with a bundle of documents about the case. The worker has also submitted a SAR. You refused to comply with the SAR as you believe you have already supplied the information to the worker’s legal representative.

However, the tribunal bundle did not contain all the worker’s personal information you held, and it was not given directly to the worker. In this instance, you must review the SAR and provide them with a copy of their personal information.

Do we need to disclose any non work-related personal information?

Organisations should have policies and procedures in place so that workers are aware of what they can and can’t do on the IT system. For example, a reasonable use or a personal use policy.

Example

A former worker submits a SAR for all their personal information. The worker requests emails they believe were exchanged between colleagues using their personal email accounts. Although the colleagues accessed their personal email accounts via work laptops, you do not consider the company to be the controller of the information. You also consider the information to have been processed for personal and household use and decide not to disclose it.

Do we have to disclose emails that the worker is copied into?

The right of access only entitles the worker to obtain a copy of their personal information from your organisation. You must consider what information in the email is the personal information of the requester. It also depends on the contents of the email and the context of the information it contains.

Ultimately, it is for you to determine whether any of the information in the email is the requester’s personal information. However, it is important to remember:

  • the right of access only applies to the requester’s personal information contained in the email. This means you may need to disclose some or all of the email to comply with the SAR;
  • just because the contents of the email are about a business matter, this does not mean that it is not the requester’s personal information. This depends on the content of the email and whether it is about the requester; and
  • just because the requester receives the email, this does not mean that the whole content of the email is their personal information. Again, the context of the information is key to deciding this. However, their name and e-mail address are their personal information, and you must disclose this information to them.

Example

A worker requested copies of all emails containing their personal information. The emails include an invitation, along with colleagues, to a team event to award team members who had closed the most cases. The email also contained a ‘league table’ with top five best performing team members.

As the content relates to the worker, the email counts as their personal information and you should therefore disclose it. However, you should redact the names of other people included in the email before disclosing it.

Do we have to include searches across social media?

Yes. If your company uses social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams for business purposes, then you are the controller for the information processed on those pages.

The UK GDPR applies to any social media activity carried out in a commercial or professional context.

If you receive a SAR, you must search these platforms for any personal information if it falls within scope.

You should also consider social media posts supplied to you by others as potentially in scope. For example, if a worker submits a copy of posts made by a colleague criticising their manager in a WhatsApp group.

Example

Your organisation has a Facebook page on which workers can post comments on activities and events run by the company. A worker submits a SAR for their personal information, including comments posted on your company’s Facebook page. You review the social media posts and supply them to the worker as part of the SAR response.

 

Example

A charity received a SAR from a former worker who was sacked for posting inappropriate content on his Facebook page. A volunteer submitted the posts to the charity, and they were considered as part of the worker’s disciplinary. The former worker submitted a SAR for a copy of the Facebook posts, but the charity refused to disclose the posts to the worker.

The worker raised a complaint with the ICO. The ICO advised the charity to disclose the posts on the basis that he was the poster of the comments, was already aware of the contents and they had been discussed as part of the disciplinary process.

We’ve had a request for CCTV footage, but it contains images of other people. Do we have to disclose it?

Yes. Workers who submit requests for footage that contains their personal information have a right to receive that information under data protection legislation. When installing CCTV, you should make sure you choose a system that allows you to easily locate and extract personal information in response to subject access requests. You should also ensure it allows for the redaction of third-party information, where this is necessary. If your CCTV system has this functionality, it will likely enable you to comply with your data protection obligations.

However, if your CCTV system does not have this functionality, you still need endeavour to comply with your obligations. However, you should only disclose the footage if you have the other people’s consent to do so, or if it’s reasonable to do so without their consent.

Example

A leisure centre worker requested CCTV footage of an incident in the staff car park where their car was damaged. The leisure centre refused to disclose the footage on the basis it contained images of other people in the car park at the time and it couldn’t redact or blur the images.

The worker complained to the ICO. The ICO advised the centre to provide stills of the footage with the other people’s identities redacted.

Further Reading

Can the ICO advise me what to include in a SAR response?

No. The ICO is an independent regulator. Whilst we can provide information and guidance on the interpretation of and compliance with data protection legislation, we cannot specifically advise on what you can and cannot disclose or include in a SAR response. You must demonstrate compliance with your duties under the relevant legislation.

What happens if a worker isn’t happy with their SAR response?

In the first instance, the worker should raise their concern with you. You should take the complaint seriously and work with the requester to try to resolve it. However, if no resolution is found, the worker then has the right to raise a concern with the ICO.

If we think you have not responded to the request appropriately, we can give you advice and ask you to resolve the problem.