The Information Commissioner’s Office (ICO) has published new guidance for businesses and employers on responding to subject access requests (SARs).
The right of access, commonly referred to as a subject access request or SAR, gives someone the right to request a copy of their personal information from organisations. This includes where they got their information from, what they’re using it for and who they are sharing it with.
Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development, or HR records.
Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.
From April 2022 to March 2023, the ICO received over 15,000 complaints related to subject access. Analysis suggests that employers regularly misunderstood the nature of requests and often failed to respond promptly, or at all, leaving themselves open to fines or a reprimand. The ICO is therefore urging employers to read the new guidance and understand the rules on dealing with SARs, to avoid non-compliance.