The Data Protection Act provides employees with a right to access personal data. This is known as the ‘right to a subject access request’.
It can be time-consuming, costly and inconvenient for the employer, but unfortunately it is like going to the dentist, it needs to be done!
What does it involve?
The right involves access to:
- What personal data is being processed about them
- Why it is being processed
- Who it is being disclosed to or could be potentially disclosed to
- The logic and reasoning behind any automated decisions that have been made about them
- Any information about the source of the data
- A copy of this information.
The law does not specify in what particular form the requests must be made, but they should be in writing. The request needs to include enough information for you to be able to locate the information the employee is seeking. This is why some employers choose to have a form which asks all the pertinent questions to fulfil the employee’s request. However, you cannot force them to submit requests in this way. They are within their rights to send in a request by some other means, for example, a letter, email or fax.
Just because the employee’s written request does not include an explicit reference to the Data Protection Act or the words “subject access request” does not mean it is not valid and the request shouldn’t be dealt with.
When dealing with requests from disabled employees, you need to think about your obligations under the Equality Act 2010. If a disabled employee finds it difficult to submit a request in writing, you should make a reasonable adjustment (e.g. accept a verbal request).
You need to carry out a reasonable check to verify the identity of the person making the request. If the employee has not provided you with enough information to check their identity, ask them for more. This will avoid personal data being disclosed to the wrong person!
You can charge a fee of up to £10 to deal with the request.
You are required to deal with the request within 40 calendar days of receiving it. Employers can often find it difficult to comply with the request in this timeframe, so it is essential to get started with locating the information as early as possible.
It can seem like an arduous task, especially if the request is very wide, or because of the way in which information is stored. For example, if the employee wants access to all emails relating to themselves over the last 12 years of employment, this may be a cumbersome process. You should speak to the employee to see what they really want to know to see if you can confine the parameters of the search. If they do not budge, you will need to supply them with all the information requested.
Searches could include looking through computerised systems and any manually held information as part of a relevant filing system, such as CCTV footage, emails, recordings of phone calls, databases, word processing systems, records of automated door entry systems, hard drives and paper records.
In some cases, an employer will need to think about whether they are divulging data about third parties. You will only be able to go ahead with the request if the third party has given their consent or if it would be considered reasonable to do so without the explicit agreement of the third party. The third party’s identity could be protected by, for example, redacting their details from documentation – however, it may still be possible to identify the third party because of other information in the document.
You need to provide the employee with the information requested in an “intelligible” form. Typically, they should be given a copy in permanent form (e.g. photocopy) of the personal data held by you.
Again, if the employee is disabled, you need to consider making reasonable adjustments, for example, by providing them with copies of information in Braille.
Limits on number of requests
The Data Protection Act does not set out a specific limit of the number of times an employee can submit a request, but it should not be unreasonable. This means that an employer does not need to comply with a similar request unless a reasonable amount of time has passed.
Failure to comply
If you do not comply with the request the employee may submit a complaint to the Information Commissioner’s Office (ICO). The ICO will look into the matter to assess the nature of the request and if they agree with the employee, they can issue an enforcement notice requiring you to comply. They can also issue fines if they believe that there has been a serious breach of the Data Protection Act.
EU General Data Protection Regulations
The EU General Data Protection Regulations were passed in May 2016. The UK government has been clear that, despite Brexit, they will implement the regulations. Although EU Member States have up to the 25th May 2018 to implement the new rules in their national laws, you need to think about how to plan for the changes for your organisation now.
The Regulations make some changes to subject access requests:
- They scrap the option of employers charging a fee. The only exception to the general rule is if the request is “manifestly unfounded or excessive”.
- The employer must respond within one month. This may be extended in certain circumstances, for example, if the employer has to deal with a particularly complex issue.
If you have any questions about Subject Access Requests, contact your Employment Law Adviser who can guide you through the process and give you guidance about the new EU General Data Protection Regulations.