Complaints about subject access requests rise 13.5%

The Information Commissioner’s Office received more than 15,300 complaints last year, a 13.5% increase on 2022, over organisations’ failure to comply with obligations around data subject access requests (DSARs).

According to employment law firm GQ|Littler the scale of the complaints could be the “tip of the iceberg” for employers.

It said complaints about compliance with subject access requests are the most common reason people complain to the ICO. Individuals can submit requests to their employer or former employer requiring them to review significant amounts of documents and to disclose personal data held on the individual making the request.

UK businesses routinely have to deal with subject access requests from individuals, many of which are from disgruntled former employees who often use the data as a “fishing expedition” to obtain documents pre-disclosure or as a strategy to encourage the employer to reach a settlement with them.

Deborah Margolis, senior associate at GQ|Littler said: “Responding to DSARs can take up a significant amount of business resources in terms of both cost and management time.

“Bearing in mind how much data we create and process about employees on a daily basis, the time spent trawling through documents is overwhelming for many businesses.”

Although the number of complaints received by the ICO is high, GQ|Littler said it was just the tip of the iceberg compared with the actual number of subject access requests submitted. With such high volumes of requests, many businesses struggle to comply with them within the statutory timeframe.

Of the total complaints made to the ICO, 14% of DSARs were in the financial services sector, 9% were in general business and 7% were made in relation to online technology and telecoms.

Margolis added: “DSARs were intended to help individuals to determine if their personal data was being mishandled but some individuals have now weaponised DSARs with the intention of causing disruption for employers and forcing them into reaching favourable settlements.”

Following Brexit, the government proposed to amend the UK data protection law, in a shift away from GDPR, with the Data Protection and Digital Information Bill.

The bill had been expected to pass later this year but was not included in the pre-election “wash-up” last week and would need to be reintroduced in the next parliament if the next government so desires.

It was expected to make compliance with DSARs less burdensome for businesses. Of particular interest to employers, under the draft bill, it would have been easier for organisations to reject or charge a fee for “vexatious” subject access requests.

Margolis said: “This would be a welcome change for employers many of whom feel that the existing rules allow too many opportunities for abuse”.

Last year, the ICO published guidance for employers on responding to subject access requests highlighting some of the common misunderstandings organisations have. For example, some employers are unaware that requests can be submitted informally, nor do they need to include the words “subject access request” to qualify as a legitimate request.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

Email(Required)

OptOut

From time to time, we will send you emails about selected products, events and services from Personnel Today and OHW+ - but you can choose to opt-out at any time. If you do not wish to receive these emails, please tick this box.

Name

This field is for validation purposes and should be left unchanged.

Δ

HR business partner opportunities on Personnel Today

Browse more HR business partner jobs