Skip to main content

Insight article

September 28, 2018

Employee data subject access requests

An individual’s right of access to data which is collected about them is set out in the new Data Protection Act 2018.

Under the Act, a “data subject” can make a data subject access request (a DSAR), and a “data controller” has a duty to comply, subject to some exceptions.

Although responding to a DSAR can be time-consuming and expensive, the obligations of transparency under the Act mean that you must be willing to explain how you are handling the request and to confirm this to the employee within the required time limit. If you do not, the employee may feel aggrieved and believe that you have failed to comply with the Act’s requirements, leaving you vulnerable to a potential complaint being made to the ICO or a court order to comply with the DSAR.

It is, therefore, important to respond to a DSAR in an appropriate manner.

What to do if you receive data subject access requests from employees

You should make an initial assessment to consider:

  1. whether or not you store or process data concerning the employee;
  2. whether you intend to respond;
  3. the scope of the request; and
  4. the proposed approach to finding the data and dealing with the response.

In general, regardless of any suspicions about the employee’s motivation, you should approach compliance in a positive and helpful way:

  1. you must facilitate the exercise of the DSAR;
  2. the request must be handled fairly and transparently;
  3. information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

In the employment forum, DSARs are frequently made in the context of an ongoing dispute or a tribunal or court claim. An employee may be genuinely motivated by a wish to find out what data is being processed and to ensure that it is accurate. However, the employee may also see the trouble and expense to which you may be put by dealing with a DSAR as offering useful leverage in a dispute and in achieving a settlement.

Your response

Your response should be in writing or, if appropriate, by electronic means. If the request was made originally by electronic means, information should be provided “in a commonly used” electronic form unless otherwise requested by the employee. At the employee’s request, the information may be provided orally as long as you are certain of the identity of the individual making the request. However, oral requests are rare.

Except in perhaps very straightforward cases, it would be sensible to take legal advice before either substantively responding to a DSAR or indicating a refusal to deal with such a request.

Are there any exceptions to the DSAR?

Under the Act, there is no obligation to comply with a DSAR in relation to the following:

Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings. This applies only to documents which carry legal professional privilege for the purposes of English law.

Reference

A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference, whether processed by the reference giver or the recipient.

Management

Personal data is processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a DSAR would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed before it is announced to the rest of the workforce.

Records of Intent

Personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the DSAR would be likely to prejudice the negotiations.

Other

Other exceptions relate to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services.

What happens if you do not respond to a DSAR?

Other than in exceptional cases, you will be under a duty to take action on a request by responding. There are, however, some circumstances in which you may decide not to take action. Examples might be where:

  • the person to whom the DSAR was addressed is not the data controller (perhaps because it is acting as a data processor or someone else is the controller);
  • the request is unfounded or excessive; and/or
  • you can demonstrate that the request infringes the EU doctrine of abuse of rights.

If so, you must tell the employee without delay and, at the latest, within one month of receipt of the request. You must give reasons for not taking action. You must tell the employee of the possibility of complaining to the supervisory authority and taking legal proceedings.

Except in clear circumstances and in which you are confident you can justify a decision not to take action on a request (as might be the case if you are not the controller), you should engage with the employee and seek to limit the request.

For more information on data subject access requests, speak to employment lawyer Karen Cole today.

Note: This article is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • What is the Employment Rights Bill 2024?
    The Employment Rights Bill 2024 marks a pivotal moment in UK employment law, promising the most significant reforms in over three decades


    Read more

  • Autumn Budget Statement 2024
    Key implications for employment law, property law, and estate planning


    Read more

  • Disclosure against warranties in UK corporate transactions
    In UK corporate transactions, disclosure of information is a vital strategy for sellers to shield themselves from warranty claims when selling their shares or business.


    Read more

  • How the Employment Rights Bill 2024 impacts employers and businesses
    The government’s new Employment Rights Bill outlines significant changes to employment laws, focusing on workers' rights and flexibility.


    Read more

  • Business First Magazine
    Autumn/Winter 2024 Edition


    Read more

What they say...

  • Stephen, November 2024
    “Outstanding family lawyer who came through for me in a difficult case. In the world new to me of divorce and the aftermath, [Pippa Marshall] provided excellent advice from the first call and right through to conclusion. She made a difficult ex

  • M. M. Homes, November 2024
    “Charlotte explained everything very clearly and made the whole process nice and easy. Have already started recommending her to my friends.” Wills and LPAs

  • Nim, November 2024
    “I highly recommend James McMullan and his team. They all did a fantastic job with helping me through a particularly difficult family situation. They are extremely professional, caring, and experts in their field.” Probate and contentious

  • Man Kiu Wan, November 2024
    “Thank you Charlotte for your excellent and professional services.” Probate

  • Ms K, November 2024
    “I was recently made redundant, and my company had handled some of the process quite poorly. Patrick came recommended by a friend who had used him during her own redundancy, and I can now wholeheartedly recommend him myself. His initial consult

Read more
Send this to a friend