What is a subject access request?

Under the Data Protection Act 2018, individuals have the right to request the personal data that you hold on them. A request for such information is called a ‘subject access request’.  The right permits individuals to see the information that you process about them, not to actually receive a copy of the information. However, it is likely that the easiest way to allow the individual to see the information is by sending a copy of it to the individual.

Personal data

A subject access request must be in relation to an individual’s personal data, including special categories of personal data. “Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including a name.

“Special categories of personal data” includes information relating to e.g. race, religion, trade union membership, sex and sexual orientation.

Receiving a request

Subject access requests must be made in writing. However, it may be a reasonable adjustment to accept a verbal request where the individual making the request is disabled.

Subject access requests may be made on behalf of an individual by a solicitor, for example, or simply someone else whom the individual wishes to act for them. You must ensure that the third party is entitled to act on the individual’s behalf by requiring them to provide evidence of this, for example, a letter from the individual authorising the third party to act on their behalf.

What to do when you receive a request

When you receive a request, you should first ensure that the data requested is personal data relating to the employee. 

If the request is general or vague, for example, you are able to ask the employee to be more specific regarding the data they wish to have access to. You may ask them to provide information about the context in which the information about them may have been processed and about the likely dates when processing occurred if this will help you deal with the request.

Where a request is received that relates to eg, “all personal data relating to me”or where a large amount of data is processed on the employee, you may ask the employee to be more specific on the data to which the request relates. If the employee offers no more specific a request, you are able to either:

·       charge a reasonable fee to comply with the request or

·       refuse to deal with the requeston the grounds that the request is “manifestly unfounded or excessive”.  For example,  the individual clearly has no intention to exercise their right of access; the request makes unsubstantiated accusations against you or specific employees; or the individual is targeting a particular employee against whom they have some personal grudge.

Payment

Employers may no longer request a fee from an employee in order to supply information as a standard procedure. The information must be provided free of charge unless the request is “manifestly unfounded” or excessive or further requests of the same information are made.

Time limit for providing information

Information must be provided without delay, and at the latest within one month of receipt of the request. However where requests are complex or numerous, you may extend the normal one month maximum time limit by a further two months, meaning that the overall deadline is three months from the date of receipt. Where you decide to use the extension, you must inform the employee within one month of receipt of the request and give reasons for the extension.

Where information identifies other people

In many cases, information that must be provided in response to a subject access request will identify people other than the requester. In these cases, you do not need to disclose the information except where:

·       the other individual has consented to the disclosure or

·       it is reasonable in all the circumstances to comply with the request without that individual’s consent.

You could also consider redacting documents in order to remove identification of the other parties.

Supplying the information

You must send a copy of the personal data in writing to the employee. You may also send it by electronic means and if the request was made by electronic means, your response should be in “a commonly used” electronic form. 

Refusing a request

Where you made a decision to refuse to deal with the request, for example, because the request is “manifestly unfounded or excessive”, you must inform the employee without undue delay within one month, giving your reasons. You must also inform them of their right to complain to the Information Commissioner or to take legal proceedings.

Subject access requests and employee references

Under the Data Protection Act 2018, the right for individuals to access personal data processed by organisations does not extend to confidential employment references. This exemption applies to both the organisation who authors the reference and the organisation who receives the reference. For clarity, a reference that is provided to a requesting organisation should explicitly state that this is a confidential employment reference.

Top tips

Hindsight is a wonderful thing… This is just a reminder to be mindful of what you put in writing regarding candidates or employees. Here are some tips:

– Recruitment interview notes should be objective and comments kept to the answers given by a candidate. Factual, non-discriminatory statements based on whether or not the candidate meets the criteria for the job role– Appraisals records should comment on the performance of the employee objectively and should be fact-based giving examples of strong performance and areas for improvement 

– Emails regarding employees should not be defamatory– Schedule a phone call or Teams call to discuss an employee’s perofrmance, rather than having a long email exchange 

– Consider what is recorded on email and whether it would be considered fair to the employee should they submit a subject access request…
If you receive a subject access request and would like further advice please email help@yourhrpartner.co.uk

Categorised in: Uncategorized

This post was written by SKHR