It’s nearly a year since the GDPR and Data Protection Act 2018 came into force. Despite this, employers are still awaiting the promised publications from the Information Commissioner’s Office. We take a look at one area that organisations and employers are grappling with in increasing numbers: the Subject Access Request (SAR).
Employees and workers have the right to access their personal data, find out why it is being used and any supplementary information through making SAR. These are not new under the GDPR or DPA 2018, but there are some important changes which employers must not be caught out by. Three key changes are:
- Under the old law, the individual could be charged a maximum of £10 Employers can no longer make a charge unless a request is “manifestly unfounded or excessive, in particular because of its repetitive character”. Then, organisations can charge a “reasonable fee” taking into account the administrative costs of providing the information or may refuse to act altogether. This could discourage very onerous SARs, but as yet there is no guidance on what is “manifestly unfounded” or “excessive”.
It is for the organisation or employer to show that the request is “manifestly unfounded” or “excessive”, so it would be risky to rely on it unless it is a very extreme case.
- Previously, an organisation had up to 40 days to respond to a SAR but, under the GDPR, you must respond without undue delay and in any event within one month.
There is the potential for an extension of an additional two months if the request is particularly complex or there are numerous requests.
If time is extended the organisation must inform the individual of this and provide reasons. The one-month deadline starts from the time the organisation has received the request together with any information it needs to verify the identity of the individual making the request (which it must ask for as soon as possible).
- The SAR no longer has to be made in writing. This means a request could be made verbally, on the phone, or via social media, to any person in your organisation. It does not even have to use the words “subject access request” – it just has to be clear that the individual is seeking their own personal data. It is always better to insist the request is made in writing to be clear of the scope of the personal date they are requesting.
It is vital that every person in an organisation knows how to recognise a SAR and what to do with it. From an employer’s perspective, this will mean training not only Data Protection and Compliance teams and HR departments, but also managers and anyone else who might receive a request from a current or former member of staff. They will also need to know what information needs to be provided, since they might be storing information that is not accessible or retrievable by an organisation’s data searches…and what information should not be provided.
An employer responding to a SAR must produce copies of the information it holds in permanent and intelligible form, that is, understandable to the average person. Usually it will provide the information electronically unless asked otherwise.
In many cases the individual may simply want to know what data is stored about them, whether it is accurate and perhaps ask for some or all of the data to be corrected, erased or object to its processing processing.
However, it is becoming increasingly common for current or former members of staff to ask for personal data in preparation for or as part of an Employment Tribunal claim about, for example, a dismissal or treatment which is alleged to be discriminatory. Employment Tribunal claims have risen sharply since 2017 when Employment Tribunal Fees were ruled unlawful by the Supreme Court.
How should an employer respond to a SAR?
First, the you will need to go through the exercise of extracting all data it has relating to the individual. There is no easy way to do this, although some organisations will have more sophisticated search methods than others.
For an employee or ex-employee, this could produce hundreds of documents. It is possible to ask the individual for more information to narrow down their request, but if they refuse to narrow it down or do not respond, you must still endeavour to respond to their original request.
However, individuals are not entitled to all and any information about themselves. Before any data is disclosed, the employer needs to go through a sifting about each piece of data, such as:
- Is the content directly about the individual or their activities? A group email from HR to all staff with Christmas closure dates is unlikely to contain personal data.
- What is the purpose for keeping the data? If it is not in order to keep records about that individual or make decisions about them it may not be personal data. The ICO gives the example of data held to monitor the efficiency of a piece of machinery, rather than any data held about the employees operating it.
- Does an exemption apply? For example, is the information covered by legal privilege or does the exemption for confidential references apply? Under the old regime this only used to cover an SAR made to the giver of a confidential employment reference, but now employers who are either giving or receiving confidential references can rely on an exemption under the DPA 2018.
- Does the data identify other individuals? Particular care needs to be taken care here in dealing with such data and our advice should be sought. In essence there is a balancing act to be struck if other individuals have not given consent for that data to be disclosed. You may have to redact parts of the information.
You can read more about making and dealing with a Subject Access Request, data protection and the GDPR if you are a business or an employee.