ICO’s new guidance on responding to data subject access requests
27 July 2023
On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’).
Based on the right of access outlined in the UK GDPR, data subjects have the right to request a copy of their personal information from organisations.
Over the last couple of years we’ve witnessed an increase in the number of DSARs submitted by current or former employees, with many of them being made as the employment relationship gets litigious.
The ICO said they have received over 15,000 complaints related to DSARs in the last 12 months. Although not all of them were employment-related, the ICO believes that some employers misunderstand the nature of DSARs and underestimate the importance of a proper response to them.
They have now, therefore, issued updated guidance that should assist businesses and employers to ‘not get caught out’.
The new guidance clarifies certain points, such as that there are no formal requirements when making a DSAR and that workers can submit one verbally or even via social media. It also comments on the position of DSARs made in the context of grievances or put forward during the without-prejudice negotiations. A helpful Q&A is also included.
If you have any questions, please get in touch. Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact our dedicated team.
Willans Data Protection Services provides organisations operating on a multi-national basis with UK and Article 27 Representative solutions, Data Protection Officer services and GDPR training solutions.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…
On Christmas Eve, the nation was informed that the UK and EU had struck a Brexit deal. The transition period is now over, and a clearer picture of the future…
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.