13
Mar
2020
1
subject-access-requests

Subject access requests : A guide for employers

CLICK HERE TO DOWNLOAD THE GUIDE

Individuals have a right to make data subject access requests under the General Data Protection Regulations (GDPR).

Requests

The subject access request must relate to personal data. Personal data means any information relating to an identifiable person who can be identified directly or indirectly.

A request may be wide in scope but if the request is very wide it may be less effective. Requests are often limited to subject matters, dates and for emails, the person receiving or sending the email.

Timescale

The request must be completed without undue delay and at least within one month.

The timescale can be extended up to two months if the request is complex and or the individual has made numerous requests.

Any extension and the reason for the extension should be communicated in writing before the initial one month expires.

Information supplied

The employer should provide the following:

  • A copy of the personal data being processed. (There are rules about processing data that includes information about other people. See the Information Commissioner’s Office (ICO) Guidelines.)
  • Confirmation of the purposes of the processing.
  • Clarification of the categories of personal data and the categories of the recipients the personal data has been disclosed to or will be disclosed to.
  • Information relating to the source of the data.
  • The period for which the data will be stored.
  • The data subject’s rights.

Refusal

If the request is manifestly unfounded or excessive, an employer can refuse the request.  The ICO has provided guidelines on what could be manifestly unfounded or excessive.

A request could, for example, be manifestly unfounded if it was malicious with the sole purpose of disrupting the employer.

An excessive request could, for instance, be where it overlaps with a previous request.

If an employer refuses the request it must give reasons to the employee.

However, rather than take the risk of a dispute the employer may be better off to answer the request in so far as a proportionate and reasonable response but reserve their position to argue that it was manifestly unfounded or excessive if challenged.

Fees

Generally employees cannot charge a fee for a subject access request.

Employers though are able to charge a reasonable fee for administrative costs where the request has been manifestly unfounded or excessive.

Exceptions

There are a number of exceptions to providing subject access requests. Examples include:

  • There is no obligation in relation to personal data which carries legal professional privilege.
  • There is no obligation for a confidential reference for employment, training or educational purposes.

For details of all the exceptions see the ICO guidelines.

This guide is intended for guidance only and should not be relied upon for specific advice.

If you need any advice on subject access requests or have other employment law queries please do not hesitate to contact me on 0203 797 1264.

Do check mattgingell.com regularly for updated information.

TO DOWNLOAD HR GUIDES FOR FREE




Download PDF
Share This