Employers faced with a subject access request should ensure they refer to the updated guidance recently issued by the Information Commissioner's Office. The guidance has been amended to reflect recent case law (summarised here) and notes (at pages 43-44) that data controllers are only required to carry out only a reasonable and proportionate search for personal data. However, it stresses that there is a high expectation that information will be provided in response to a SAR and that the burden of proof will be on the data controller to show that it took all reasonable steps to comply. The guidance states that it is good practice to have an open conversation with the applicant about the information they require and that, if a complaint is lodged, the ICO may take into account the data controller's willingness in this respect as well as the level of co-operation from the applicant. The guidance also reflects the case law confirming that an applicant's motive for making the SAR is not relevant, although an abuse of process is one of the factors that may influence the court when exercising its discretion to order compliance (page 64).
Key contacts
Samantha Brown
Managing Partner, Employment, Pensions and Incentives, UK and EMEA, London
Steve Bell
Managing Partner, Employment, Industrial Relations and Safety, Asia and Australia, Melbourne
Emma Rohsler
Partner, Head of Employment, Pensions and Incentives, EMEA, Paris
Tim Leaver
Partner, London
Andrew Taggart
Partner, London
Fatim Jumabhoy
Partner, Head of Employment & Workplace Investigations, Asia, Singapore
Barbara Roth
Partner, New York
Christine Young
Partner, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.