We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.


Visit our debt recovery website

Data subject access requests can cause many headaches for employers.

What can be a quick exercise for the employee to request his, her or their personal data, can be a time-consuming and tedious process for the employer.

An employee’s right to access data held about them has been a major part of data protection law since at least 1984, but changes to data protection legislation and regulation have changed the way in which subject access requests should be processed.

Recognising a subject access request

First and foremost, you must identify the request as a subject access request. Whilst this sounds quite straightforward, it is not always the case.

A subject access request is any request by an individual for their own personal data. It does not have to mention ‘GDPR’ or the ‘Data Protection Act 2018’ nor must it specifically spell out that it is in fact a ‘subject access request’, so it is important to assess what the employee is actually asking for and whether it amounts to a subject access request. One measure to minimise this issue is by providing data subjects with templates to fill out in order to make a request identifiable and specific.

Identifying the individual and acting swiftly

It is essential that you confirm the identity of the person you are communicating with. By confirming their identity, the data controller is demonstrating compliance by not allowing unauthorised access to someone else’s personal data.

If the individual is your employee, this should be relatively straightforward to establish.  However, if you receive correspondence from their solicitor, ensure that you take steps to ascertain what they have been instructed to do by the employee on their behalf.

The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to data subject individual rights requests, making it clear that you should respond within one month of the day that you give receipt of the request. However, an extension to respond may be granted in certain situations.

Identifying personal data

Employers are expected to conduct a reasonable and proportionate search of their hard copy and electronic filing systems in order to identify the personal data belonging to the individual.

Personal data is defined under Article 4 of the UK GDPR as information relating to an identified or identifiable natural person (data subject), including name, ID number, location data or an online identifier .

All forms of data should be considered, including employee files, Outlook accounts, audio recordings and CCTV footage.

Exemptions for not disclosing information

There are several acceptable reasons why personal data should not be disclosed, for example, where disclosure would prejudice defined public functions or communications are subject to legal professional privilege.

A request can also be refused if it is manifestly unfounded or excessive. For example, if an employee has been employed for 10 years and ask for all information held about that employee without specifying the specific information, people, time period and context, a general search may for such an employee result in several thousand emails alone which would need to be checked and time consuming redactions made for personal data of other people or other information to which the employee is not entitled to see.

Each such request would need to be assessed on a case by case basis.

If a request is refused, the data controller has certain obligations it owes to the data subject. For more support with exemptions relevant to your organisation, please contact us.

Disclose data securely

It is good practice to check with the individual how they would like the response to be sent to them to ensure the security of the information.

You should also make sure that you keep a paper trail of the subject access request, what you have done to address it and the information that you have provided.

Document any key decisions to ensure that you have all of the information readily available should an employee seek a review or raise a complaint with the Information Commissioner’s Office.

Ensuring compliance with GDPR

Organisations should ensure that their policies and procedures on handling subject access requests are updated in line with the Data Protection Act 2018 and that they comply with the UK GDPR. Failure to comply can lead to both restrictive and punitive measures.



Scroll to next section

Scroll back to the top