Under the Data Protection Act 1998, an employee has a right to make a data subject access request to find out what information their employer holds about them. The main purpose of such a request is to enable an employee to check that their employer is processing their data lawfully, for example, is their data correct or is it being shared with someone it shouldn’t be? It is not meant to be a “fishing expedition” by a disgruntled employee who is trying to catch out their employer or gather ammunition for a Tribunal claim.
In simple terms, an employee who pays £10 to their employer to make a subject access request has the following key rights:
- The right to know if their personal data is being processed.
- If so, the employee must be given a description of the personal data held about them, the purposes for which it is being “processed” and the people or types of people to whom that data may be disclosed.
- The right to the following information, communicated in an “intelligible” form:
- The employee’s personal data which is held by the employer; and
- Any information available to the employer on the source of the data.
A helpful starting point, if faced with a subject access request, is the Information Commissioner’s Code of Practice. This is not legally binding but it does make helpful, practical suggestions on how an employer might handle a subject access request to ensure that they comply with their data protection obligations.
A recent High Court case has also shed some light on subject access requests and raised some helpful principles (below).
What does this mean for you or your business?
- An employer is only required to supply personal data which is found after a reasonable search. An employer does not have to comply with a subject access request if it will involve “disproportionate effort”. This might include searches which would be particularly lengthy, costly or complicated. If you think this might apply, give us a call!
- The aim of subject access requests is not to provide claimants or potential claimants with information or documents which may assist them in litigation. An employee should, therefore, have a proper purpose or motive for making such a request. If you think this is not the case, speak to us.
- An employer is required to search their “relevant filing systems”. Manual records should be sufficiently sophisticated to be as accessible (or virtually as accessible) as computerised filing systems. Therefore, complicated or disorganised, manual filing systems may not satisfy this definition. Perhaps this is a good reason not to update your systems!
What do you need to be doing now?
If faced with a subject access request, try not to panic. Check out the Information Commissioner’s Code of Practice, and ask for our advice if necessary. But do not think that you have to bend over backwards to search for an employee’s personal data. You may not have to.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.