The Information Commissioner’s Office (ICO) has published detailed guidance for organisations on how to deal with rights of access to personal data (subject access rights) under the General Data Protection Regulation (GDPR).
The publication of new guidance is welcome news for employers, who are likely at some point to receive a SAR from an existing or former employee. With much employment data appearing in documents which are unstructured and which contain data on more than one individual (for example, many emails), dealing with an SAR in an employment context is particularly challenging.
The guidance addresses issues such as:
The circumstances in which a SAR may be deemed complex and enable the response period of up to a month from receipt of an SAR to be paused while the employer waits for the individual to clarify their request.
Determining when a SAR is manifestly excessive. The guidance confirms that this assessment would require the employer to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden of dealing with the SAR.
For more information please contact a member of our Employment Law Team.