New data shows the Information Commissioner’s Office (ICO) received more than 15,000 complaints about mishandled Data Subject Access Requests (DSARs) in 2023 – and many are being made by disgruntled ex-employees.
Launching new guidelines on how to respond to DSARs, the ICO recently revealed that the number of complaints it received increased by 13.5% in 2023 compared with the previous year, hitting a total of 15,335.
They amounted to 45% of all complaints received by the ICO.
The ICO is keen to make sure that organizations understand their obligations and respond appropriately.
"What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests," said Elanor McCombe, ICO policy group manager.
"For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realize that there is a strict time frame for responding to requests, and this must be kept to."
It's misunderstandings like this that lead to many complaints. However, according to Deborah Margolis, senior associate at GQ|Littler, many DSARs are from disgruntled former employees who use the data as a 'fishing expedition' to obtain copies of documents pre-disclosure, or as a strategy to encourage the employer to reach a settlement with them.
"Responding to DSARs can take up a significant amount of business resources in terms of both cost and management time. Bearing in how much data we create and process about employees on a daily basis, the time spent trawling through documents is overwhelming for many businesses," she said.
"DSARs were intended to help individuals to determine if their personal data was being mishandled but some individuals have now weaponized DSARs with the intention of causing disruption for employers and forcing them into reaching favorable settlements."
Earlier this year, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests, while in September 2022 it took action against seven organizations that failed to respond to DSARs.
However, following Brexit, the government has proposed amendments to UK data protection law that would shift it away from GDPR, with a new Data Protection and Digital Information Bill expected to pass this year.
This, the law firm said, is expected to make compliance with DSARs less burdensome for businesses. In particular, it would be easier for organizations to reject or charge a fee for ‘vexatious’ DSARs.
"This would be a welcome change for employers, many of whom feel that the existing rules allows too many opportunities for abuse," Margolis said.
-
Why Dedicated Internet Access (DIA) could be the key to AI performance gainsHigh speed, private internet connections could be a critical enabler for enterprises driving AI adoption
-
Dropbox is adding a range of handy new AI features – here’s what users can expectNews Long-awaited features from Dash AI will be integrated within Dropbox
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
