New guidance for employers on responding to subject access requests has been published by the Information Commissioner’s Office, highlighting some of the common misunderstandings organisations have.

Under the UK’s data protection regulations, anyone has the right to submit a subject access request (SAR) to obtain a copy of the personal information an organisation holds about them, including where this information was obtained, what they are using it for and who they are sharing it with.

Employees can request information from their current or former employer, including attendance details, sickness records, or personal development records.

An organisation must respond to a SAR within one month, but this can be extended to two months if the request is complex. Failure to do so can result in a fine or legal action.

The ICO received more than 15,000 complaints relating to SARs last year. Earlier this month the regulator took action against both Plymouth City Council and Norfolk County Council after they repeatedly failed to meet deadlines for responding to SARs.

The ICO’s policy group manager Elanor McCombe said: “What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request.

“Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.”

The SARs Q&A for employers outlines some of the common questions employers have about requests, including whether information can be withheld, what happens if a worker is unhappy with their SAR response, and whether they have to disclose any non work-related personal information.

