After the GDPR: Subject Access Request Exemptions
Given that the timeframe to respond to a Subject Access Request is now one month organisations need to make sure they have appropriate systems in place to respond.
At a recent webinar, the ICO also reported that they have received over a 50% increase in the number of complaints since the GDPR came into force. That means that in this new era where employers and consumers are aware of their rights, organisations need to make sure they are able to correctly comply with data protection legislation.
Organisations do not always have to disclose all of the personal data they hold under a subject access request as there are a number of exemptions available. Understanding these exemptions and applying them correctly can save time by preventing unnecessary work or disclosure and protecting your organisation from risk.
What are the exemptions?
Some of the main exemptions available are:
- Legal Privilege – this exemption applies to personal data which a claim of legal privilege could be maintained in legal proceedings. There are a number of different types of legal privilege including legal advice privilege (where information produced for the purpose of obtaining legal advice is protected) or litigation privilege (where confidential information between a lawyer, a client or a third party has been obtained for the purpose of litigation). There is a high threshold to achieve legal privilege and therefore it is advisable to seek legal advice before relying upon this exemption. Care should also be taken to not inadvertently waive privilege. For example, creating a separate document based upon legal advice received and asking individuals to comment within this document may mean that documents do not attract legal privilege and would be disclosable under a subject access request.
- Purely Personal or Household Activity – this exemption covers an individual’s personal information. For example, where an employee uses the employer’s IT system to contact their personal electricity provider for their own home. This exemption is unlikely to cover records made personally in a work context (e.g. where an employee makes records about their personal feelings towards a colleague or a situation that has arisen in the workplace).
- References given in confidence – this covers a reference given (or to be given) in confidence for employment, training or educational purposes. It covers all of the personal data within the reference whether processed by the reference giver or the recipient. It does not cover comments made about a reference received from a third party and therefore care should be taken about how such information is recorded or communicated.
- Management forecasting or management planning – this covers personal data processed for the purposes of management forecasting or planning relating to a business or other activity that would prejudice the conduct of a business. For example, this could include information if it is likely to prejudice a staff redundancy programme if disclosed in advance.
- Negotiations between employer and employee - personal data consisting of records of intentions between an employer and employee to the extent that complying with the subject access request would prejudice these negotiations. For example, if you are negotiating an exit with an employee an employer would not need to disclose details recording the maximum compensation they are willing to pay.
There are also other exemptions available relating to self incrimination, regulatory functions, judicial appointment and proceedings, the honours system, criminal investigations, tax collection and various corporate finance transactions.
Each case will need to be considered on a case-by-case basis as whether an exemption is applicable will depend upon the nature of the individual’s request.
The confidential references exemptions is a substantial change to previous legislation where only the organisation providing the reference did not have to disclose the information. As a result, individuals could request a copy of the reference from the organisation receiving the reference. The GDPR has put an end to this which may mean employers are more willing to give a more detailed reference. However, this may be subject to challenge in the future given that an individual will not be able to know if false information has been provided about them within in a reference. It is also worth remembering that the reference could still be disclosable as part of Tribunal proceedings.
Full guidance on these exemptions is still awaited from the Information Commissioner’s Office (ICO) and more information about how widely the exemptions can be interpreted is likely to published in the near future.