A disgruntled employee has raised a grievance or is gearing up to bring a claim in the employment tribunal, and now you have received an email demanding that you give them copies of all the documents and emails you hold which relate to them, stating that this is a ‘subject access request’. Sound familiar? Unfortunately for many employers, this is an all-too common occurrence.
Subject access requests (SARs) are often used as a tactical tool by employees, or ex-employees, who are fishing for damaging documentation to aid them in bringing a claim or to put them in a stronger negotiating position with their employer.
This article explores when it might be possible to respond to a SAR, or to charge a fee for responding, as well as considering the future of the legal principles in this area.
Businesses should remember that the right to make a SAR does not give an individual the right to demand copies of any documentation or records that they fancy. It gives them a right to access their own personal data that their employer holds on them and to understand the basis for the employer holding and processing that information.
Given that there are also various exemptions that can be applied when considering what to include in response to a SAR, in many cases a disgruntled employee who has made a SAR in vexatious circumstances will be disappointed at the level of information they are actually entitled to receive in response to it.
Nevertheless, dealing with a SAR is a time consuming and onerous task, so if you know that an employee has made the request not because they have genuine privacy concerns, but because they are aggrieved about something that has happened at work and so are trying to gain access to information they can’t currently access, is it possible to simply refuse to respond? As is usually the case when it comes to questions like this, the answer is possibly, but it does depend on the circumstances.
It is possible to refuse to comply with a SAR, but currently only where the request is ‘manifestly unfounded’ or ‘excessive’.
The Information Commissioners Office provides guidance on what might amount to a ‘manifestly unfounded’ request, with examples such as:
The Information Commissioner's Office does caution however that this is not a ‘tick list’ which enables an employer to automatically deem the request to be manifestly unfounded if it seems to fall within one of these examples. The employer is still required to consider the particular circumstances and context of the request and the requestor, and the burden will be on the employer to demonstrate why the request is manifestly unfounded, if challenged.
From an HR perspective, the importance of considering the particular circumstances of the request also ties in closely with appropriate management of that employee generally. Even if an employer suspects an employee has made a request maliciously, failure to fairly and reasonably consider the overall context and/or failure to clearly communicate the reasons for not responding, if that is the decision, could cause a further deterioration in relations. This could in turn exacerbate the risk of grievances or employment claims.
‘Manifestly excessive’ has a slightly different meaning. This requires an employer to consider whether the request is clearly or obviously unreasonable in terms of the burden involved in dealing with it.
Again, it involves looking at the circumstances of the request, but a manifestly excessive request might occur for example where the requestor has already made a request for largely similar information not long ago or before the employer has had the chance to respond to their previous request. An organisation might also be able to deem a request manifestly excessive if the same information has already been made available to the requestor through alternative means.
A request will not however be manifestly excessive just because the employee has requested ‘all data’ that the organisation holds on them. In such circumstances, the employer should consider asking for more information from the employee in order to help identify and locate the data they are looking for, rather than simply refusing to respond.
It is worth noting that, if an employer decides that a request is manifestly unfounded or excessive, it can still choose to respond to it and charge a reasonable fee to the employee as part of this.
There are currently no limits on what might be considered a ‘reasonable’ amount to charge, so the recommendation is to estimate the amount of staff time which will be involved in responding to the request and then apply a reasonable hourly rate to this figure. The fee can also cover printing and other equipment costs.
Even if an employer feels that a SAR is manifestly unfounded or excessive, in the interests of minimising risk and maintaining good relations with an existing employee, a practical solution could be for it to still respond to the employee’s SAR, but only to a limited extent.
The employer could essentially decide to respond to the most reasonable elements of the SAR, or to respond to what it considers is a reasonable extent, if the SAR is not easily broken down into different elements. The employer could then reserve its arguments as to why the request is manifestly unfounded or excessive for the most unreasonable aspects, or in the event their approach is challenged by the employee.
There is a key upcoming change in this area. In March last year the UK Government introduced a new version of the Data Protection and Digital Information Bill which will make changes to current data protection legislation, once in force.
One of the changes is to amend the exemption we have been discussing, so that an employer can refuse to respond to a SAR, or charge a fee, if the SAR is ‘vexatious or excessive’, instead. The bill states that examples of vexatious requests include those that are intended to cause distress, are not made in good faith, or are an abuse of process.
This new legislation will therefore give much greater scope for employers to refuse to respond to requests made by disgruntled employees who are not motivated by privacy concerns, but are simply probing for information to use against their employer.
The original intention was for this bill to be passed by spring 2024, so this could happen very soon. We anticipate that the Information Commissioner’s Office will publish updated guidance on the matter, once the legislation is in force.
For more information or advice, please contact Rachel Barnet or any member of our data protection team.
