Employers will be familiar with the dread of receiving a subject access request (SAR) from an employee. They take up time, resource and in many instances it’s not clear what information may or may not be provided or the lengths to which the employer is expected to go to comply. This sense of dread can be made worse where the employee’s motives appear at least in part intended to just put the employer to maximum time and trouble.
Guidance on subject access requests for employers
The UK Information Commissioner’s Office (ICO) recently published guidance in the form of a Q & A SARs Q&A for employers | ICO designed to help employers handle subject access requests. In part this was in response to their receiving over 15,000 complaints about SARs in the 12 months to March 2023! Many of these were as a result of employers misunderstanding the relevant requirements and in particular how to respond; when to push back; and the applicable timelines.
Subject access requests (SAR) need not always be as intimidating as they first appear. We frequently advise clients about how to respond to them appropriately and proportionately.
It is not uncommon however for employers to receive SARs in which the employee seeks disclosure of ‘all information relating to my employment’ even though in many cases (and especially for long serving employees) this could generate tens, if not hundreds of thousands of pages of data.
Can a company refuse a subject access request?
Under the UK General Data Protection Regulations (UK GDPR), employers can refuse to comply with all or part of a SAR if the request is “manifestly unfounded” and/or “manifestly excessive”.
As the latest ICO guidance makes clear a SAR is likely to be “manifestly unfounded” where it is “malicious in intent and is being used to harass your organisation with no real purpose other than to cause disruption”. In practice employers should be wary of just relying on this defence as it can be very difficult to justify especially as it has tended to be narrowly interpretated.
It is more likely that an employer will be able to refuse part or all of the SAR on the basis that it is “manifestly excessive”. The latest guidance states that when considering whether a request is manifestly excessive, “you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request “. Significantly however the guidance goes on to caution against giving undue weight to the amount of data requested by explaining that “a request is not necessarily excessive just because someone requests a large amount of information”. In practice referring to this provision can be a very effective way to require the employee to significantly narrow and reduce the scope of their request thus making it altogether less onerous and more manageable.
The threshold for relying on the defence that a request is either manifestly unfounded or manifestly excessive remains a high one and employers therefore need to continue to tread carefully. The updated Guidance – which also include some worked examples – is a helpful step aimed at ensuring that the Legislation is used for it’s intended purpose rather than a means to just inconvenience the employer whether for the sake of it or as part of a broader effort to secure concessions from an employer as part of a wider dispute.
If an employee believes that the employer has not fully complied with their request they can:-
- Complain to the Information Commissioner’s Office; and/ or
- Make a Court application for a compliance order under section 167 Data Protection Act 2018; and/or
- Make application to the court seeking compensation under section 1687 Data Protection Act 2018
Before making a Compliance Order the Court must be satisfied that there has been a breach of one or more of the requirements of the Data Protection legislation and then have regard to the general principle of proportionality and the need to balance the rights of the data subject and the interests of the controller.
The Court also has power to make an award for compensation under other provisions in the DPA 2018 if there has been BOTH a breach of the data protection provisions and the claimant has suffered distress as a result of the breach .
Recent cases involving subject access requests
In the case of (AB v MoJ  EWHC 1847 (QB)) the claimant made a number of data subject access requests to the Ministry of Justice (MoJ) in connection with his wife’s death and subsequent events involving a coroner. The MoJ failed to respond within the statutory deadline, and incorrectly withheld personal data on the basis that legal professional privilege applied. Despite there being no quantifiable financial damage, the court made an award for compensation assessed at £2,250 for distress, arising from the delays.
Another more recent case indicates that the Court will not be quick to find that the claimant has indeed been distressed. In that case the Judge found that the claimant’s suggestion that the minimal data breach complained off (an email sent to the wrong email address chasing outstanding school fees) had caused significant distress and worry or made them feel ill was inherently implausible. In the Judge’s view “no person of ordinary fortitude would reasonably suffer the distress claimed arising in the circumstances in the 21st century, in a case where a single breach was quickly remedied”. As there was no credible case that distress or damage over a de minimis threshold had been proved no compensation was awarded