Data Subject Access Requests can strike fear into the heart of any HR professional. We reported in April that the Court of Appeal had issued two significant judgments on the extent to which a company can refuse to comply with a request. In light of these developments and in advance of the coming into force of the General Data Protection Regulation in 2018, the Information Commissioner’s Office has updated its guidance on SARs.
The code now contains further guidance on the use of the “disproportionate effort” exception, stating that the exception "cannot be used to justify a blanket refusal" of a SARs, as "it requires you to do whatever is proportionate in the circumstances". The guidance also deals with the issue of the data subject’s motivation for making the request, indicating that this is one of the factors a court may wish to take into account when deciding whether to order compliance with the request.
It is likely that we will see further changes to guidance around SARs to coincide with the introduction of the GDPR in May 2018. The ICO has undertaken a significant marketing campaign to encourage employers to prepare for the changes. To help you get prepared, LAW will be running Spotlight courses on the changing data protection landscape in September (12th September in Glasgow and 21st September in Edinburgh). Further details and booking information can be found on our website at http://www.lawatwork.co.uk/seminars-events