Since the introduction of the General Data Protection Regulations and Data Protection Act 2018, we have experienced a considerable rise in the number of Subject Access Requests made to our employer clients.
Requests can be burdensome, time-consuming and costly to deal with but there are some practical ways to minimise these problems.
A subject access request enables individuals to find out what personal data you (the “Data Controller”) hold about them, why you hold it and who you disclose it to. For information to be personal data, it must relate to a living individual and allow them to be identified from it, directly or indirectly.
Employees and workers often make Subject Access Requests to current or former employers to obtain information relating to their employment. Requests are often made when an employee has raised a grievance, after a disciplinary process is commenced, or with a view to pursuing a Tribunal claim.
Once a request is made you only have one month to respond to the request, unless you are able to justify an extension of up to three months.
Responding to requests can be hugely burdensome due to the time it takes to identify, search and gather the personal data requested.
A failure to meet the deadline or provide staff with access to all the data they request could expose you to significant risk and penalties.
In the UK the data protection supervisory authority is the Information Commissioner’s Office, which has a range of enforcement tools available including issuing warnings, conducting audits, ordering compliance and imposing large fines.
Dealing with Subject Access Requests can be really difficult for employers. However, these practical tips should assist with minimising their impact.
- Reduce the volume of data you hold – if you have a robust system of retention and deletion of documents it will help reduce the number of emails and other documents to review.
- Ask if there is anything they are specifically looking for – in the majority of cases the individual is looking for something in particular. Requesting that they reduce the scope of their request by a date range or email sender will help considerably.
- Make sure the person responsible for conducting the search understands the definition and meaning of “personal data” and “sensitive personal data” so that it can be identified quickly and easily.
- Extract data or provide documents? – when providing someone with access to their personal data you cannot disclose someone else’s personal data. You may, therefore, have to redact the documents, which can be time-consuming. An alternative may be to extract the relevant data from the documents and provide it to the person making the request in a different format.
- Rethink what you put in writing – if something isn’t written (hard-copy or online) it won’t need to be disclosed.
- Use a data room or other secure mechanism to provide the documents to the employee, this will be easier for you to upload, rather than trying to send a huge file via email.
Ellen Goodland is a trainee solicitor at Royds Withy King's employment and HR office in Swindon.