Employers faced with a subject access request should ensure they refer to the updated guidance recently issued by the Information Commissioner's Office. The guidance has been amended to reflect recent case law (summarised here) and notes (at pages 43-44) that data controllers are only required to carry out only a reasonable and proportionate search for personal data. However, it stresses that there is a high expectation that information will be provided in response to a SAR and that the burden of proof will be on the data controller to show that it took all reasonable steps to comply. The guidance states that it is good practice to have an open conversation with the applicant about the information they require and that, if a complaint is lodged, the ICO may take into account the data controller's willingness in this respect as well as the level of co-operation from the applicant. The guidance also reflects the case law confirming that an applicant's motive for making the SAR is not relevant, although an abuse of process is one of the factors that may influence the court when exercising its discretion to order compliance (page 64).
Key contacts
Steve Bell
Managing Partner - Employment, Industrial Relations and Safety (Australia, Asia), Melbourne
Emma Rohsler
Regional Head of Practice (EMEA) - Employment Pensions and Incentives, Paris
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.