ICO Guidance Updates for Employers

What matters

What matters next

The Information Commissioner's Office (ICO) has recently issued updates to assist employers to deal with data subject access requests (DSARs) and workers’ health.

Complaints on DSAR non-compliance against employers are on the rise. Between April 2022 and March 2023, the ICO received  15,848 complaints in relation to DSARs, resulting in penalties  for  organisations in breach. Elanor McCombe, Policy Group Manager at the ICO, stated that employers are misunderstanding the nature of DSARs and underestimating the importance of responding. 

The updated guidance, in the form of a Q&A, sits alongside a blog which briefly outlines the obligations for employers and consequences of non-compliance. It reiterates the worker’s right to access their personal information and breaks down  employer obligations in a clear and user-friendly format. It highlights the time frame for response, what should be disclosed and what could be withheld, making reference to more current issues surrounding social media and CCTV video footage. 

The guidance includes useful examples that reflect real-life situations for employers and clarify misunderstandings or misconceptions. For instance, a DSAR does not have to be submitted in a certain format; a simple request of ‘can I have a copy of the notes from my last appraisal?’ will amount to a DSAR. 

Under the DPA 2018, there are exemptions from the right of access that allow employers to withhold certain data from disclosure. Determining whether personal data falls under an exemption is not always straightforward. In recognition of this, the ICO guidance contains  examples of the most frequent scenarios an employer may face. For example, if a worker requests a copy of witness statements taken in response to an allegation of misconduct against them, the employer would need to consider if it is reasonable to disclose this information.  It must consider what personal information is included about the requester, whether the witness had given their statement on the basis the statement would be kept confidential and whether redaction is appropriate. If an employer had promised confidentiality as part of the process, and redaction would not prevent witness identity from being disclosed , the employer may  wish  to withhold the statements.  However, withholding of information needs careful consideration and an employer will need to justify their reasons for this on  a case by case basis and balancing rights of the data requester and the witness. 

If, having considered the ICO guidance, an employer is in any doubt on how to deal with a DSAR,  it should seek legal advice promptly. In her statement, Elanor McCombe confirmed the ICO will continue to take appropriate action where necessary in order to protect the data rights of individuals.

Workers’ Health

The ICO has published guidance for employers on the processing of  workers’ health data.  Any data relating to health is categorised as special category personal data, which is granted enhanced protection under the UK GDPR. The  guidance reinforces the importance of complying with the strict requirements on processing health data and focuses on specific workplace scenarios, such as drug and alcohol testing and occupational health schemes. There are useful checklists for employers  when considering worker’s health information.  

The guidance also considers what employers should do where they need to share health information about workers with third parties. For example, this may be in an occupational health report referral,  legal proceedings or under some other legal obligation. The guidance highlights that there may be emergency situations in which an employer needs to share health information about a worker in order to help safeguard them. 

  • Should an employer need to share such health information, it must: consider the purpose for sharing data, which must be reasonable and proportionate;
  • treat all workers fairly - health data must not be used in ways that would have unjustified adverse effects on them;
  • tell workers about why and how their health data will be shared before you share it; and
  • identify at least one lawful basis and a condition for processing before an employer starts sharing any health information.

Moreover, an employer should consider if there are any other legal constraints around sharing such information, which may include a duty of confidence to the worker. 

The guidance confirms that worker’s health information should not normally be disclosed with other workers, beyond those who genuinely need the information to carry out their roles, e.g. HR. In some job roles and sectors, there may be specific legal requirements around an employer informing other staff about a worker’s health condition. This will be particularly relevant for health and safety purposes. However, the guidance confirms that where possible, an employer should avoid naming individual workers, unless the worker has freely consented to such disclosure of their health information. 


The ICO guidance is presented in the form of Q&As and contains commonplace examples an employer may face in the workplace. It helps contextualise what can often be complex issues for employers when handling a worker’s health information and is there to support employers navigate data protection law and avoid falling foul of the legislation.


This information is for educational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. © Shoosmiths LLP 2024.


Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.