A subject access request enables individuals to find out what personal data a Data Controller holds about them, why they hold it and who they disclose it to. For information to be personal data, it must relate to a living individual and allow them to be identified from it.
Employees sometimes make subject access requests to their employers or former employers to request access to information relating to their employment. Requests are often made when an employee has raised a grievance or after a disciplinary process is commenced.
Requests are also made where an individual is not employed by an organisation but has a relationship with the organisation such as a supplier, complainant or individual client of the organisation.
Points to consider concerning subject access requests are as follows:
- Be organised. The following can be implemented to help when a subject access request is received:
- Training – Your staff should be aware of what a subject access request is and training should be provided to relevant staff depending on their job role so they know how to respond to a request.
- Policies – Include a data protection policy in your staff handbook which should be readily available for all staff to access.
- Prepare a database list setting out where all personal data is stored. Reliable indexes, file contents pages, description of documents and metadata make it easier for those dealing with subject access requests to locate personal data. In larger organisations, an IT system may be used to process the subject access requests.
- Monitor compliance – If you receive several requests, an appropriate structure should be in place to ensure they are processed and responded to effectively.
- Make sure the request is valid. The request must be in writing and you may request a £10 fee which is discretionary. You should ensure you obtain the identity of the person making the request. Any request made by a third party on behalf of someone else should be refused unless you have a written signed authority. You should also send a letter to the individual informing them that you will be disclosing information to the third party in accordance with their signed authority.
- Consider whether you require more information to be able to respond to the request. For example, you may require the dates that the employee was employed by the organisation. It is not possible to request that the individual narrows the scope of the subject access request but you may require further information to locate the information and respond.
- Time limit to respond – You must respond within 40 calendar days of either receipt of the request or receipt of further information and/or fee. This is a short timeframe and it can take a considerable period of time to respond to the request so start the necessary work as soon as it is received. Factor in the time that it will take to carry out a review of the case by your solicitor especially if there is third party personal data that needs to be reacted.
- Information to be provided – You should send the following information to the address of the individual:
- Whether or not you hold his/her personal data
- A description of:
- The personal data that you hold on them
- The purposes for which their data is being processed
- The recipients or class of recipients of the data
- The recipients or class of recipients of the data
- A hard copy of the personal information (unless it would involve a disproportionate effort)
- Information as to the source of the data
- Consider the extent of the search that needs to be conducted – The search might include a search of:
- Electronic records
- Archived information and back-up records
- Information contained in emails
- Information stored on personal computer equipment
- Paper files
The Data Protection Act does not limit the duty to search for and retrieve data and the search can involve extensive effort. The Information Commissioner’s Office Subject Access Code of Practice states that you should be prepared to make extensive efforts to find and retrieve the requested information.
- Does an exemption apply? – You do not need to provide information in response to a request if it is an exemption. Some of the exemptions include information which is subject to legal advice privilege or litigation privilege or information relating to the prevention of detection of a crime or information that would reveal evidence of criminal activity (other than an offence under the Data Protection Act 1998)
- The individual is only entitled to their own personal data – You must ensure that you consider redacting any documents or information relating to another individual unless you have their consent.
- In the event that the subject access request is made within the wider context of an employment dispute and that dispute is settled, ensure that any settlement agreement includes a clause to say that the subject access request is withdrawn and that no further requests will be made.
It is important to note that the financial penalties for any breaches will be increasing under the EU General Data Protection Regulation (which is due to come into force from 25 May 2018).
For more information on data protection generally, please have a read of my blog about complying with the Data Protection Act.
If you require any advice regarding a subject access request or data protection issue, please contact Farleys’ employment law team on 0845 287 0939 or complete our online form and one of our expert solicitors will get in touch with you.