Individuals have a right to make data subject access requests under the General Data Protection Regulations (GDPR).
The subject access request must relate to personal data. Personal data means any information relating to an identifiable person who can be identified directly or indirectly.
A request may be wide in scope but if the request is very wide it may be less effective. Requests are often limited to subject matters, dates and for emails, the person receiving or sending the email.
The request must be completed without undue delay and at least within one month.
The timescale can be extended up to two months if the request is complex and or the individual has made numerous requests.
Any extension and the reason for the extension should be communicated in writing before the initial one month expires.
The employer should provide the following:
- A copy of the personal data being processed. (There are rules about processing data that includes information about other people. See the Information Commissioner’s Office (ICO) Guidelines.)
- Confirmation of the purposes of the processing.
- Clarification of the categories of personal data and the categories of the recipients the personal data has been disclosed to or will be disclosed to.
- Information relating to the source of the data.
- The period for which the data will be stored.
- The data subject’s rights.
If the request is manifestly unfounded or excessive, an employer can refuse the request. The ICO has provided guidelines on what could be manifestly unfounded or excessive.
A request could, for example, be manifestly unfounded if it was malicious with the sole purpose of disrupting the employer.
An excessive request could, for instance, be where it overlaps with a previous request.
If an employer refuses the request it must give reasons to the employee.
However, rather than take the risk of a dispute the employer may be better off to answer the request in so far as a proportionate and reasonable response but reserve their position to argue that it was manifestly unfounded or excessive if challenged.
Generally employees cannot charge a fee for a subject access request.
Employers though are able to charge a reasonable fee for administrative costs where the request has been manifestly unfounded or excessive.
There are a number of exceptions to providing subject access requests. Examples include:
- There is no obligation in relation to personal data which carries legal professional privilege.
- There is no obligation for a confidential reference for employment, training or educational purposes.
For details of all the exceptions see the ICO guidelines.
This guide is intended for guidance only and should not be relied upon for specific advice.
Do check mattgingell.com regularly for updated information.