8 Min Read

DSARs: What the updated ICO guidance means for employers

Read more

By Khurram Shamsee, Kate Galloway & Yassar Lodhi


Published 30 June 2023


The ICO has recently published new guidance, in the form of a series of questions and answers, specifically for employers on data subject access requests (DSARs).

While the guidance reflects the ICO's established guidance on the right of access, it provides helpful examples on issues which arise in the employment context, going further than the existing guidance.  The key points to note for employers are set out below.

  • A settlement or non-disclosure agreement cannot override the right of access. If a settlement agreement attempts to waive an employee's right of access, the Q&As states expressly it is "likely" that this element of the agreement will be unenforceable. This point has yet to be tested by the courts, however it is clear that the ICO will take a dim view of an employer relying upon such a waiver in order to decline responding to a DSAR in the future.   The Q&As do not comment on an employee agreeing to withdraw an extant DSAR under the terms of a settlement agreement.
  • People do not have to submit a DSAR in a certain format or label it as such.

DSARs can be made:

  • verbally or in writing (including by social media)
  • to any part of the organisation and do not need to be directed to a specific person or contact point (despite the need to have a designated person, team and email address for DSARs).

The guidance gives some examples of DSARs stating "Please send me my HR file" or "What information do you hold on me?". It remains open to an employer to clarify a DSAR's scope.

  • An employer cannot refuse to comply with a DSAR because of an ongoing tribunal or grievance process.
  • Employees are not generally entitled to every email including those they are copied on: this is not news; the right of access is to personal information not to every email containing the individual's name, but it is useful to have this spelt out in the guidance as employees often doesn't understand that they are not entitled to everything.
  • Social media platforms used for business purposes must be searched for personal information when responding to a DSAR.

The Q&As make it clear that the employer is the data controller of the information processed on platforms such as Facebook, WhatsApp, Twitter and Microsoft Teams pages for business purposes. Posts supplied to the employer from personal devices should also be considered for disclosure in certain circumstances. This makes it more important than ever that employers have policies in place setting out how these platforms should be used (or not used) to establish clear parameters around when the employer will be the relevant "data controller" .

  • Employers must apply exemptions to withhold or limit what's supplied on a case by case basis balancing competing employment and data privacy rights. Some of the exemptions addressed are:
    • Information about other people: examples given include deciding after due consideration not to disclose i) the witness statements relating to a disciplinary issue if they were given with the expectation of confidentiality and redaction would not prevent the writer’s identity from being disclosed and ii) a whistleblowing report where it would prejudice the ongoing investigation into the alleged malpractice and disclose the identity of the whistleblower, potentially subjecting them to negative treatment.
  • Confidential references: the guidance reiterates that the exemption is only for confidential references. This should be made clear to workers and those providing references through the organisation's privacy notice, staff handbook or policies. If this has/is not made clear DSARs involving references need to be considered on a case by case basis.
  • Management information: or business planning information can be withheld if disclosure is likely to prejudice the conduct of the business. An example is given of where employees discover a restructuring exercise is being considered, and ask for information about redundancy selection pools. After careful consideration a decision could be made not to provide the information as it may prejudice the business and cause staff unrest. The employer could reply that it cannot confirm nor deny that it holds the information.
  • Negotiations with the requester: the example of a severance package is given. If providing the information would prejudice the negotiations it can be withheld, but if another DSAR is submitted after the settlement is agreed the employer not be able to demonstrate that negotiations would be prejudiced to withhold the information.
  • Relying on the manifestly unfounded or excessive exemptions need to be considered on a case by case basis but are not impossible.
    • Manifestly unfounded: a helpful example is given of someone stating they will withdraw their DSAR if the employer agrees to an improved financial package. This would be manifestly unfounded as the person is not genuinely wanting to exercise their privacy rights. Otherwise to meet this exemption the request must be malicious. The use of aggressive or abusive language does not necessarily make a request manifestly unfounded.
    • Manifestly excessive: the employer must assess whether the request is “clearly or obviously unreasonable” based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. A request is not necessarily excessive just because someone requests a large amount of information. In deciding whether a reasonable interval has passed between a repeat of a previous request it's relevant to consider whether the nature of the information is particularly sensitive and how often the information is altered.
  • If the worker is unhappy with a DSAR response they should raise it first with the employer before complaining to the ICO

What should employers do?

Following the publication of the Q&As, there are some steps that employers should consider taking to ensure best practice:

  • Train managers so they can recognise a DSAR and pass it onto the designated person/team as it may well not be labelled as such.
  • Review and amend data privacy notices and staff handbooks to ensure they reflect the new guidance.
  • Ensure you have robust IT/social media/WhatsApp use policies in place clearly setting out what workers can and cannot do on work devices, and covering off how they should conduct themselves in informal groups set up between colleagues.
  • Take advice on the strategy for dealing with a DSAR on its receipt to ensure maximum use of the exemptions.
  • Document the reasons behind decisions to withhold information.
  • Carefully consider whether to reference a DSAR / DSAR rights in a settlement agreement given the ICO's position on this issue.