Subject Access Requests under the GDPR

Often employees wish to see a copy of the personal data that their employer holds about them. So, what does that mean when it comes to GDPR? Zoe Parker, employment solicitor at Zoe Parker at Prettys takes a look.

Currently, under the Data Protection Act 1998 (the “DPA”), individuals including an organisation’s former or current employees, have the right to be:

Told whether any of their personal data is being processed;

Given a description of this personal data, the purposes for which the employer processes it and who the employer discloses it to;

Given a copy of their personal data, and

Given details of the sources of the data (where these are available).

Employees engage this right by submitting a Subject Access Request (“SAR”) to their employer. The easiest way for an employer to respond to a SAR is to provide a copy of the personal data (and the additional information) to the employee. This is of course, subject to potential restrictions on the employer’s obligation to comply, for example, if the employee’s personal data includes a third party’s personal data.

The current situation

At present, employers may charge a fee for dealing with a SAR. The maximum fee permitted is £10, unless the SAR covers special categories of data.

The employer must provide the response promptly and in any event, within 40 calendar days from receipt of the written SAR or (if later) the day on which it receives:

The fee charged by the employer (if any);

Further information to satisfy itself of the identity of the requester (where this is reasonably required and the employer has requested this information. For example, it may not be reasonable in the case of an employee with whom the organisation has had regular dealings); and

Further information to locate the information which the requester seeks (where this is reasonably required and the employer has requested this information. For example, the context, type of personal data or dates when the processing was likely to have occurred).

The Information Commissioner’s Subject Access Code of Practice suggests that the organisation should tell the employee that it needs the further information too.

Failure to comply with a Subject Access Request

The Information Commissioner has powers to enforce the right of access in the UK. First, an individual can ask the Information Commissioner for a compliance assessment. The Information Commissioner can assess an organisation’s compliance with the DPA including following a SAR.

If the Information Commissioner finds a breach and the breach has caused or is likely to have caused any person damage or distress, or it is reasonable in all of the circumstances to do so, then she may issue an enforcement notice against the organisation. Failure to comply with an enforcement notice is a criminal offence. Secondly, the Information Commissioner can impose a fine, where an organisation has committed a serious breach of the DPA that is likely to cause substantial damage or distress.

Alternatively, an individual may apply to court for an order to enforce compliance with a SAR, or compensation.

Get ready for the General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (“GDPR”) will come into force. Under the GDPR, employees will continue to have the right to access their personal data. This is to allow data subjects to be aware of, and to verify, the lawfulness of the processing of their personal data.

It is advisable for employers to update their SAR procedure (whether written or otherwise) to comply with the GDPR. Some of the main changes include:

Fee

Under the GDPR, it will be free for an employee to make a SAR. Albeit, an employer can charge a “reasonable fee” (taking into account administrative costs) where the request is “manifestly unfounded or excessive, in particular because of” its “repetitive character,” and/or for further copies requested by the employee.

Content of response

The right of access includes the right to know, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. An employer may need to include details about data retention, amongst other details, in its response.

Manifestly unfounded or excessive requests 

Following receipt of a manifestly unfounded or excessive request, the alternative to charging a fee is to refuse to action the request. However, employers should explain to the employee the reasons why it refused to action it and inform the employee of the right to complain (probably to the Information Commissioner) and a judicial remedy within one month of receipt of the SAR. Further, employers should be prepared to “demonstrate” the manifestly unfounded or excessive character of the SAR.

Length of time to comply

An employer will have less time to respond to a SAR. Personal data must be provided without delay and at the latest, within one month of receipt of the SAR. Although where necessary, taking into account the complexity and number of requests, an employer can extend the period of compliance by a further two months. In such cases, the employer must then inform the employee within one month of receipt of the SAR of the extension and the reasons for the delay.

Electronic requests

If the SAR is made electronically, for example, by email, then the employer should provide the response in a “commonly used electronic format,” unless the employee requests otherwise.

Self-service

Where this is possible (and, as the Information Commissioner’s Office’s guidance suggests, appropriate to the type of organisation), remote access to personal data via a secure system will be encouraged as an example of best practice.

Balancing the right of access with the rights of others – One employee’s right of access should not adversely affect the rights and freedoms of others, for example, trade secrets and intellectual property. This appears to refer to the third party data consideration, already in existence under the DPA.

Large amounts of personal data – Where an employer processes a large amount of personal data about an employee, an employer is permitted to ask the employee to specify information or processing activities that the SAR relates to.

Where the employer “has reasonable doubts concerning the identity” of the SAR requester, the employer “may request the provision of additional information necessary to confirm the identity” of the requester. So under the GDPR, it seems that employers should continue to act reasonably when verifying the identity of the person making the SAR.

HR Checklist

The abolition of the optional SAR fee under the GDPR is likely to increase the number of SARs that employers receive. Additionally, employers will have a shorter time frame within which to comply. Therefore, the critical point for employers is to review and update their SAR systems and procedures so that they are GDPR-compliant now, ready for the May 2018 deadline.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.