New ICO guidance on DSARs

Show Notes

The UK Information Commissioner’s Office (ICO) released updated guidance in May 2023 focused on how employers should respond to data subject access requests (DSARs) from employees. This new guidance is produced for employers in the format of a Q&A, and gives employers an idea on what to do in certain situations if an employee requests a DSAR. 

In this podcast Lucy Densham Brown and Rebecca Dowle members of the Data Protection team at Clarkslegal summarise some of the key takeaways from that Q&A including: 

• Settlement agreements
• Social media platforms
• Personal email address 
• Redacting unrelated data

If you have any questions at all about any aspect of the DSAR process, or need some advice on how to respond to a DSAR, please contact our Data Protection lawyers for advice.

Transcript

Rebecca Dowle 

Hello, and welcome to our latest Data Protection podcast. My name is Rebecca, and I am a trainee solicitor in the Data Protection team here at Clarkslegal. I am joined on this podcast today by my colleague Lucy, a solicitor, who is also a part of the Data Protection team. Hi there Lucy.

Lucy Densham Brown          

Hi everyone.

Rebecca Dowle 

So the aim of today’s podcast is really to get-to-grips with and discuss the most recent update issued by the ICO concerning ‘Data Subject Access Requests’, also known to us as “SARs” or “DSARs”. 

Now, just a quick point to note here. We have already discussed DSARs quite a bit on our previous Data Protection podcast. So for those of you that are wondering what a DSAR is and how one is made, I recommend giving our previous podcast a listen, its called Data Subject Access Request: Advice for Employers.

Okay, so back to the ICO’s recent employer guidance. Lucy, could you just kick off the podcast today by explaining what the ICO is and how it plays a part in this?

Lucy Densham Brown          

Yes of course Rebecca. The Information Commissioner’s Office, also known as the ICO, is the UK’s Data Protection Authority. It is an organisation that acts effectively as a UK watchdog for protecting public interests, and is responsible for ensuring that companies reach regulation standards; one of those being the protection of individual’s personal data. 

Rebecca Dowle 

Thank you for that Lucy, and from my understanding the ICO issued a recent update in May 2023 which included new guidance for employers, specifically in relation to SARs. 

Lucy Densham Brown 

Yes that is right. This new guidance is produced for employers in the format of a question and answer, and gives employer’s an idea on what to do in certain situations if an employee requests a DSAR. 

Rebecca Dowle 

Okay great, and so as part of this podcast today, Lucy and I are going to summarise some of the key take aways from that Q&A. Firstly, I found it really interesting to read that as part of the new ICO guidance, a settlement or non-disclosure agreement, cannot override a person’s right to a copy of their personal data. The ICO also went on to say, that any part of an agreement that attempts to waive an employee’s DSAR right is likely to be unenforceable. 

Lucy Densham Brown          

Yes, and that part was really interesting actually. Its common practice for a settlement agreement to include a clause which waives any current DSARs the employee may have against the company, and any future DSARs they may bring. This guidance is therefore very impactful as it overturns this standard practice. It’s important to note that the agreement as a whole would still stand, and it would only be that element of the agreement, that sought to waive the employee’s right, which would be unenforceable. 

Rebecca Dowle        

Okay, that makes sense. So what other key take aways that you found in the guidance Lucy?

Lucy Densham Brown          

What grabbed my attention was the fact that if an employer uses social media platforms specifically for business purposes and is asked by an employee to conduct a DSAR, the employer must now look for personal data across all those social media platforms.

Rebecca Dowle        

Oh yes I saw that, and this is because the employer will effectively be the controller of information processed on these social media platforms.

Lucy Densham Brown

That’s right. The ICO made clear that this applies to platforms such as Facebook, WhatsApp, Twitter and any other channels like Microsoft Teams, if those channels are used for business purposes. 

Rebecca Dowle        

I can imagine that covers quite a lot of avenues then?

Lucy Densham Brown 

It does, especially if that employer has a strong social media presence. The ICO also said employers should consider social media posts that are sent to them by third parties as potentially being under the scope of the DSAR. For example, a worker might send a copy of a post made by a coworker that criticises their manager in a WhatsApp group, and that copy in the WhatsApp group would fall into the scope of the DSAR. Hence, it should be disclosed. 

Rebecca Dowle 

I see, thanks for that Lucy. So if we now move onto the next key point in the guidance. I noticed that if an employee sends emails from their personal email address, say whilst they are using a work device such as a laptop or phone, then these emails are likely to contain information intended for personal or domestic use only, and therefore, on that basis, the emails would be excluded from the DSAR.

Lucy Densham Brown 

Yes exactly, because in this scenario the employer would not be the controller of the information. And because the employer is not the controller, there is no requirement for the employer to share this data as part of the DSAR. 

Rebecca Dowle        

I see. And I guess this feeds into the fact that every company should have specific policies which restrict personal use of work equipment.  

Lucy Densham Brown 

I agree, for instance, an organisation should have policies which govern how employee’s use work equipment and that they should only use it for work related matters. And any non-work-related personal information on those devices would not be necessary to disclose as part of the DSAR. 

Rebecca Dowle 

Okay great. So lastly, I just want to talk about the scenario where the data processed is unrelated to the data subject (i.e. employee who is making the DSAR). Here, the ICO suggests that data subjects are only entitled to personal data which relates to them, but what if this information is contained in emails that also discuss, for example, business matters.

Lucy Densham Brown 

So in this scenario, this could include for instance an email that the employee is copied into and the content of the email is discussing work. 

Rebecca Dowle 

Yes that’s right. From what I understand, just because the content of the email is about a business matter, it doesn’t necessarily mean that the information contained in that email is not personal information. And the ICO gives guidance on this point. It states that an employer must carry out an exercise to determine whether some or all of the data in the email, must be disclosed in order to comply with the DSAR. 

Lucy Densham Brown          

And if an email contains personal information of the subject as well as third-party information or information covered by legal privilege, then the employer must carry out a redaction of that data to ensure that only relevant data is disclosed. 

Rebecca Dowle 

Thank you for that Lucy, that is great. You can see how important it is for employer’s to keep up-to-date on the ICO guidance, as it’s unlikely to be so black and white when it comes to responding to these DSARs. 

So that brings us to the end of the key take aways from the new guidance issued by the ICO. Thank you for listening to Clarkslegal Law Bites podcast from the Data Protection Team. If you have any questions on the topics discussed today, or about data protection or DSARs generally, please contact a member of our Data Protection team who will be very happy to assist you. Thank you all listening. Goodbye.

Lucy Densham Brown

Goodbye.