Data subject access requests can cause many headaches for employers.
What can be a quick exercise for the employee to request the data, can be a time-consuming and tedious process for the employer.
An employee’s right to access data held about them has been a major part of data protection law since 1984, but updates within the 2018 Data Protection Act have changed the way in which subject access requests should be processed.
Recognising a subject access request
First and foremost, you must identify the request as a subject access request. Whilst this sounds quite straightforward, it is not always the case.
A subject access request is any request by an individual for their own personal data. It does not have to mention ‘GDPR’ or the ‘Data Protection Act 2018’, so it is important to assess what the employee is actually asking for and whether it amounts to a subject access request.
Identifying the individual and acting swiftly
It is essential that you confirm the identity of the person you are communicating with.
If the individual is your employee, this should be relatively straightforward to establish. However, if you receive correspondence from their solicitor, ensure that you take steps to ascertain what they have been instructed to do by the employee on their behalf.
The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to data subject individual rights requests, making it clear that you should respond within one month of the day that you give receipt of the request.
Identifying personal data
Employers are expected to conduct a reasonable and proportionate search of their hard copy and electronic filing systems in order to identify the personal data belonging to the individual.
This may include client and employee files, Outlook accounts and data held by data processors.
All forms of information should be considered, including audio recordings and CCTV footage.
Exemptions for not disclosing information
There are several acceptable reasons why personal data should not be disclosed, for example, where disclosure would prejudice defined public functions or communications are subject to legal professional privilege. For more support with exemptions relevant to your organisation, please contact us.
Disclose data securely
It is good practice to check with the individual how they would like the response to be sent to them to ensure the security of the information.
You should also make sure that you keep a paper trail of the subject access request, what you have done to address it and the information that you have provided.
Document any key decisions to ensure that you have all of the information readily available should an employee seek a review or raise a complaint with the Information Commissioner’s Office.
Ensuring compliance with GDPR
Organisations should ensure that their policies and procedures on handling subject access requests are updated in line with the Data Protection Act 2018 and that they comply with the General Data Protection Regulations.