Guidance on Data Subject Access Requests

Background

In May 2023, the Information Commissioner’s Office (ICO), the UK’s data protection authority, published updated guidance for employers on Data Subject Access Requests (DSARs). Although the ICO uses the term “worker” without strict definition, its Employment Practices Code clarifies that this includes employees, contractors, temporary and agency staff (current and former), as well as job applicants.

Under UK data protection legislation, individuals have the right to obtain a copy of their personal data from organisations processing their information. This right is designed to enable data subjects to review how and why their data is used, but it can be time-consuming and resource-intensive for employers to manage.

The ICO’s recent press release reported 15,848 DSAR complaints between April 2022 and March 2023, and enforcement action is on the rise. For example, in May 2023 Norfolk County Council was reprimanded for responding to only 51% of DSARs within the required timeframe.

The New Guidance Explained

The ICO’s Q&A guidance addresses key issues employers face when handling DSARs:

• Non-waivable right: An employee’s right of access cannot be overridden by settlement or non-disclosure agreements. Any clause attempting to waive this right is likely unenforceable.
• Emails and cc’d content: If an employee is merely copied into an email containing personal data about them (e.g., a performance league table), that content counts as their data. Other workers’ names must be redacted.
• Mixed content emails: Employers must review emails containing both the subject’s personal data and third-party or privileged information. Use redaction to disclose only the relevant personal data.
• Social media searches: If an employer uses channels like Facebook, WhatsApp, Twitter or Microsoft Teams for business, those pages are within the employer’s control scope—and must be searched for DSAR compliance.
• Personal email on work devices: Emails sent from a personal account on employer-provided devices are likely for purely personal use. In such cases, the employer is not the data controller and need not disclose that content.
• Tactical DSARs: Workers may use DSARs to gather evidence during grievances or tribunal proceedings. However, this does not justify refusing to comply with a valid request.
• Refusing DSARs: Employers may refuse or limit DSARs if they are manifestly unfounded or manifestly excessive. Examples include malicious requests or bargaining tactics, such as withdrawing a DSAR only if the employer improves a redundancy package.

Recommended Next Steps for Employers

To align with the new ICO guidance, employers should:

• Review DSAR policies: Update privacy notices, staff handbooks and data protection policies to reflect the guidance. Compare against the ICO’s guidance on DSARs to ensure consistency.
• Implement robust IT policies: Clearly define acceptable use of devices, prohibiting business communications via personal email to avoid DSAR complications.
• Train relevant staff: Provide DSAR compliance training to HR, legal and IT teams so they understand how to apply redactions, manage searches and recognise unfounded requests.
• Assess resourcing needs: Evaluate the volume of DSARs received and determine whether to expand in-house teams or engage external specialists.
• Upgrade technology: Test and, if necessary, procure advanced redaction tools or e-discovery services to handle complex requests efficiently.

By taking these steps, employers can mitigate risk, manage costs and demonstrate a commitment to upholding data subject rights under UK GDPR. For more detailed insights, see our full analysis of the ICO’s DSAR guidance.