Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firms

Female office worker shouting in a colleague's ear using a megaphone.
(Image credit: Getty Images)

New data shows the Information Commissioner’s Office (ICO) received more than 15,000 complaints about mishandled Data Subject Access Requests (DSARs) in 2023 – and many are being made by disgruntled ex-employees.

Launching new guidelines on how to respond to DSARs, the ICO recently revealed that the number of complaints it received increased by 13.5% in 2023 compared with the previous year, hitting a total of 15,335.

They amounted to 45% of all complaints received by the ICO.

The ICO is keen to make sure that organizations understand their obligations and respond appropriately.

"What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests," said Elanor McCombe, ICO policy group manager.

"For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realize that there is a strict time frame for responding to requests, and this must be kept to."

It's misunderstandings like this that lead to many complaints. However, according to Deborah Margolis, senior associate at GQ|Littler, many DSARs are from disgruntled former employees who use the data as a 'fishing expedition' to obtain copies of documents pre-disclosure, or as a strategy to encourage the employer to reach a settlement with them.

"Responding to DSARs can take up a significant amount of business resources in terms of both cost and management time. Bearing in how much data we create and process about employees on a daily basis, the time spent trawling through documents is overwhelming for many businesses," she said.

"DSARs were intended to help individuals to determine if their personal data was being mishandled but some individuals have now weaponized DSARs with the intention of causing disruption for employers and forcing them into reaching favorable settlements."

Earlier this year, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests, while in September 2022 it took action against seven organizations that failed to respond to DSARs.

However, following Brexit, the government has proposed amendments to UK data protection law that would shift it away from GDPR, with a new Data Protection and Digital Information Bill expected to pass this year.

This, the law firm said, is expected to make compliance with DSARs less burdensome for businesses. In particular, it would be easier for organizations to reject or charge a fee for ‘vexatious’ DSARs.

"This would be a welcome change for employers, many of whom feel that the existing rules allows too many opportunities for abuse," Margolis said.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.