• Employers faced with a subject access request should ensure they refer to the updated guidance recently issued by the Information Commissioner's Office.  The guidance has been amended to reflect recent case law (summarised here) and notes (at pages 43-44) that data controllers are only required to carry out only a reasonable and proportionate search for personal data.  However, it stresses that there is a high expectation that information will be provided in response to a SAR and that the burden of proof will be on the data controller to show that it took all reasonable steps to comply. The guidance states that it is good practice to have an open conversation with the applicant about the information they require and that, if a complaint is lodged, the ICO may take into account the data controller's willingness in this respect as well as the level of co-operation from the applicant. The guidance also reflects the case law confirming that an applicant's motive for making the SAR is not relevant, although an abuse of process is one of the factors that may influence the court when exercising its discretion to order compliance (page 64).  
  • An EU working party has published an Opinion giving guidance on processing employees’ personal data at work in light of the capabilities of modern technology. If there are inappropriate limits to the processing, and if it is not transparent, there is a high risk that the legitimate interest of employers in improving efficiency and protecting company assets is not properly balanced with data subjects’ rights and freedoms, so that the basis for processing becomes unlawful. The Opinion is clear that, for most data processing at work, consent cannot and should not be the basis for processing – this will be a significant change of approach for employers. Instead, a legitimate basis for processing employee data is likely to be where it is necessary for performance of the contract, to comply with legal obligations (eg, employment law) or where the employer seeks to rely on a legitimate interest and the processing is necessary for that legitimate interest balancing the rights and freedoms of the employee. Regardless of the basis for processing, the processing must be transparent and secure. A blog post discussing the Opinion in more detail is available here.