The ICO has observed a significant rise in complaints concerning Data Subject Access Requests (DSARs). Between April 2022 and March 2023, the ICO received 15,848 complaints, highlighting ongoing challenges with compliance. In response, the ICO has taken enforcement action, such as reprimanding organisations for failing to meet DSAR deadlines. For instance, Norfolk County Council was reprimanded in May 2023 after responding on time to only 51% of DSARs between April 2021 and April 2022.

Key Points from ICO’s New Guidance

1. Right to Access Unaffected by Agreements: Employees cannot waive their right to personal data through settlements or non-disclosure agreements. Attempts to do so would likely be unenforceable.
2. Disclosure of Emails: Emails that employees are copied into may be disclosed if the content relates to the employee. However, information about other employees should be redacted.
3. Personal vs. Business Data: Employers must assess whether personal data in business emails needs to be disclosed. If the email contains third-party or privileged data, redaction is required.
4. Social Media and Communication Tools: DSARs extend to social media and communication tools for business purposes, including Facebook, WhatsApp, and Microsoft Teams.
5. Personal Email Use: Emails sent via personal accounts on company devices are likely outside the scope of a DSAR unless business-related.
6. Tactical Use of DSARs: DSARs are increasingly used in employment disputes. Despite this, employers cannot refuse to comply based on the intent to gather evidence for grievances or tribunal processes.
7. Refusal to Comply: Organisations can refuse DSARs if they are ‘manifestly unfounded’ or ‘manifestly excessive,’ such as in cases of malicious intent or when the request is made in bad faith.

Recommendations for Employers

• Policy Review: Employers should ensure their data protection policies, including privacy notices and handbooks, align with the new guidance.
• IT & Communications Policies: Establish clear guidelines regarding using IT systems and devices to avoid using personal accounts for business matters.
• DSAR Training: Ensure relevant staff receive training on DSAR compliance and the latest guidance.
• Resource Assessment: Evaluate whether the organisation has adequate resources to handle DSARs, potentially expanding the DSAR team or seeking external expertise.
• Technology Update: Review and, if necessary, update the organisation’s DSAR-handling technology, such as redaction tools.

This new guidance highlights the ICO’s focus on ensuring compliance with DSARs and protecting individuals’ rights to access their personal data.