Skip to main content

Insight article

September 28, 2018

Employee data subject access requests

An individual’s right of access to data which is collected about them is set out in the new Data Protection Act 2018.

Under the Act, a “data subject” can make a data subject access request (a DSAR), and a “data controller” has a duty to comply, subject to some exceptions.

Although responding to a DSAR can be time-consuming and expensive, the obligations of transparency under the Act mean that you must be willing to explain how you are handling the request and to confirm this to the employee within the required time limit. If you do not, the employee may feel aggrieved and believe that you have failed to comply with the Act’s requirements, leaving you vulnerable to a potential complaint being made to the ICO or a court order to comply with the DSAR.

It is, therefore, important to respond to a DSAR in an appropriate manner.

What to do if you receive data subject access requests from employees

You should make an initial assessment to consider:

  1. whether or not you store or process data concerning the employee;
  2. whether you intend to respond;
  3. the scope of the request; and
  4. the proposed approach to finding the data and dealing with the response.

In general, regardless of any suspicions about the employee’s motivation, you should approach compliance in a positive and helpful way:

  1. you must facilitate the exercise of the DSAR;
  2. the request must be handled fairly and transparently;
  3. information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

In the employment forum, DSARs are frequently made in the context of an ongoing dispute or a tribunal or court claim. An employee may be genuinely motivated by a wish to find out what data is being processed and to ensure that it is accurate. However, the employee may also see the trouble and expense to which you may be put by dealing with a DSAR as offering useful leverage in a dispute and in achieving a settlement.

Your response

Your response should be in writing or, if appropriate, by electronic means. If the request was made originally by electronic means, information should be provided “in a commonly used” electronic form unless otherwise requested by the employee. At the employee’s request, the information may be provided orally as long as you are certain of the identity of the individual making the request. However, oral requests are rare.

Except in perhaps very straightforward cases, it would be sensible to take legal advice before either substantively responding to a DSAR or indicating a refusal to deal with such a request.

Are there any exceptions to the DSAR?

Under the Act, there is no obligation to comply with a DSAR in relation to the following:

Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings. This applies only to documents which carry legal professional privilege for the purposes of English law.

Reference

A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference, whether processed by the reference giver or the recipient.

Management

Personal data is processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a DSAR would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed before it is announced to the rest of the workforce.

Records of Intent

Personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the DSAR would be likely to prejudice the negotiations.

Other

Other exceptions relate to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services.

What happens if you do not respond to a DSAR?

Other than in exceptional cases, you will be under a duty to take action on a request by responding. There are, however, some circumstances in which you may decide not to take action. Examples might be where:

  • the person to whom the DSAR was addressed is not the data controller (perhaps because it is acting as a data processor or someone else is the controller);
  • the request is unfounded or excessive; and/or
  • you can demonstrate that the request infringes the EU doctrine of abuse of rights.

If so, you must tell the employee without delay and, at the latest, within one month of receipt of the request. You must give reasons for not taking action. You must tell the employee of the possibility of complaining to the supervisory authority and taking legal proceedings.

Except in clear circumstances and in which you are confident you can justify a decision not to take action on a request (as might be the case if you are not the controller), you should engage with the employee and seek to limit the request.

For more information on data subject access requests, speak to employment lawyer Karen Cole today.

Note: This article is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Family mediation and child arrangements
    What to do when you separate and there is no agreement in place for the children?


    Read more

  • Fair tips for all: New legislation ensures transparency in gratuity distribution.
    New rules to ensure fairness and transparency around handling tips, gratuities, and service charges for hospitality and other service sector businesses come into force on 1 July 2024. The new rules are designed to create an even-handed approach in si


    Read more

  • Is your business acquisition ready?
    Is your business ready for an acquisition? Learn key considerations from corporate lawyer Evangelos Kyveris at RIAA Barker Gillette, including growth strategy alignment, financial readiness, logistical preparation, and professional assistance for a s


    Read more

  • Preventing sexual harassment
    Employers are facing a pivotal moment as they brace for new regulations regarding sexual harassment set to take effect in October 2024.


    Read more

  • Why employers need a reflective response to employee beliefs
    Recent tribunal judgments on the freedom to express gender-critical views highlight the growing challenge for employers in safely navigating discrimination in the workplace in the face of increasingly complex social attitudes.


    Read more

What they say...

  • Georgina, July 2024
    “We used Peter Wright to act as a conveyancing solicitor in a recent house purchase. We found him approachable, affordable, would return calls, give any necessary advice without being intrusive, and was very thorough in all investigations on th

  • Oggy, July 2024
    “An excellent, professional and importantly, symapthetic service imparted to me from Karen at a most stressful time.” Employment

  • Sarah and Luke Oubridge, July 2024
    “We could not be more happy with the service provided by Herman and his team. From start to finish, we felt listened to, understood and also shared a laugh. Huge thanks.” Wills, tax and trusts

  • Tim Blunn, June 2024
    “My Solicitor (Patrick Simpson) was easy to speak to and very informative throughout my case. I would 100% recommend RIAA Barker Gillette (UK) LLP for employment related issues.”

  • Sabrina, June 2024
    “…mentioned a few complex areas and I appreciated the honesty and clear guidance provided. I would recommend [Pippa Marshall] highly.” Family law – prenup advice

Read more
Send this to a friend