Mon 12 Jun 2023

Subject access requests: <br>ICO issues new guidance for employers on how to respond

Subject access requests: ICO issues new guidance for employers on how to respond

Recent guidance issued by the Information Commissioner's Office (ICO) provides helpful pointers on how employers should deal with subject access requests (SARs).

A reminder - the right of subject access

Individuals have a general right to ask for a copy of the personal data an organisation holds about them.

Within one month of receipt of the request, an individual should be provided with confirmation of the personal data held, a copy of their personal data, and, amongst other things, details of where the information came from, the purposes for which the data is being used and who the data is being shared with. For example, an employee is entitled to request their employer provide details of their attendance, absence, HR or personal development records. The right also extends to former employees.

The time period for responding to a SAR can be extended to three months where the request is unusually complicated.

A request need not contain the words “subject access request”, nor are there any formalities that must be adhered to – a request can even be made orally.  


Between April 2022 and March 2023, the ICO received 15,848 SAR-related complaints.

The ICO’s latest guidance, therefore, seeks to ensure that individuals receive the information to which they are entitled in the required timeframe whilst supporting employers in how to respond to requests. It is hoped that the guidance will help organisations in complying with their duties and reduce the significant volume of complaints received by the ICO each year.


Non-compliance with the requirements relating to SARs may result in enforcement action by the ICO, such as a reprimand or fine. For example, the ICO recently reprimanded two local councils for continually failing to respond to SARs in the required timeframe in accordance with their legal obligations.


The ICO guidance sets out helpful examples in a question and answer format, confirming:

  • SARs are not subject to any formalities in the way they are asked. The ICO, however, recommends that organisations should have a designated person, team and e-mail address for dealing with SARs and that staff are aware of what to do if they receive a SAR.
  • The organisation subject to the SAR can seek further clarification of the request (the time limit for responding being paused whilst clarification is provided). However, clarification should only be sought if (i) it is genuinely required in order to respond to the SAR; and (ii) the organisation processes a large amount of information about the worker.
  • The types of information that may be withheld. There is a broad range of potential exemptions to the right of subject access, including information relating to someone else, witness statements, whistleblowing reports, confidential references and information which is subject to legal professional privilege. Exemptions must, however, be applied on a case-by-case basis and organisations must justify and document the reasons for relying on them.
  • The right prevails over a non-disclosure agreement or a settlement agreement entered into by an employee and their employer.
  • The right still applies where an employee is going through a tribunal or grievance process.
  • Personal data covers all information recorded over an organisation’s channels such as social media platforms (and these platforms must be searched for any personal information falling within scope of a SAR) as well as CCTV footage, and workers are entitled to receive such information.
  • As far as CCTV is concerned, organisations should ensure their system allows personal information to be easily located and extracted in response to a SAR and redaction of information relating to third parties where this is necessary. If the CCTV system lacks such functionality, organisations will still need to comply with SARs, if need be, by only disclosing footage with consent of others, or if it is otherwise reasonable to do so without their consent.

The ICO guidance is available here.

If you require assistance with handling SARs, please contact a member of our Data Protection and Cyber Security team.

This article was co-written by Arina Yazdi, Trainee Solicitor. 

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice