Skip to main content

Insight article

September 28, 2018

Employee data subject access requests

An individual’s right of access to data which is collected about them is set out in the new Data Protection Act 2018.

Under the Act, a “data subject” can make a data subject access request (a DSAR), and a “data controller” has a duty to comply, subject to some exceptions.

Although responding to a DSAR can be time-consuming and expensive, the obligations of transparency under the Act mean that you must be willing to explain how you are handling the request and to confirm this to the employee within the required time limit. If you do not, the employee may feel aggrieved and believe that you have failed to comply with the Act’s requirements, leaving you vulnerable to a potential complaint being made to the ICO or a court order to comply with the DSAR.

It is, therefore, important to respond to a DSAR in an appropriate manner.

What to do if you receive data subject access requests from employees

You should make an initial assessment to consider:

  1. whether or not you store or process data concerning the employee;
  2. whether you intend to respond;
  3. the scope of the request; and
  4. the proposed approach to finding the data and dealing with the response.

In general, regardless of any suspicions about the employee’s motivation, you should approach compliance in a positive and helpful way:

  1. you must facilitate the exercise of the DSAR;
  2. the request must be handled fairly and transparently;
  3. information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

In the employment forum, DSARs are frequently made in the context of an ongoing dispute or a tribunal or court claim. An employee may be genuinely motivated by a wish to find out what data is being processed and to ensure that it is accurate. However, the employee may also see the trouble and expense to which you may be put by dealing with a DSAR as offering useful leverage in a dispute and in achieving a settlement.

Your response

Your response should be in writing or, if appropriate, by electronic means. If the request was made originally by electronic means, information should be provided “in a commonly used” electronic form unless otherwise requested by the employee. At the employee’s request, the information may be provided orally as long as you are certain of the identity of the individual making the request. However, oral requests are rare.

Except in perhaps very straightforward cases, it would be sensible to take legal advice before either substantively responding to a DSAR or indicating a refusal to deal with such a request.

Are there any exceptions to the DSAR?

Under the Act, there is no obligation to comply with a DSAR in relation to the following:

Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings. This applies only to documents which carry legal professional privilege for the purposes of English law.

Reference

A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference, whether processed by the reference giver or the recipient.

Management

Personal data is processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a DSAR would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed before it is announced to the rest of the workforce.

Records of Intent

Personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the DSAR would be likely to prejudice the negotiations.

Other

Other exceptions relate to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services.

What happens if you do not respond to a DSAR?

Other than in exceptional cases, you will be under a duty to take action on a request by responding. There are, however, some circumstances in which you may decide not to take action. Examples might be where:

  • the person to whom the DSAR was addressed is not the data controller (perhaps because it is acting as a data processor or someone else is the controller);
  • the request is unfounded or excessive; and/or
  • you can demonstrate that the request infringes the EU doctrine of abuse of rights.

If so, you must tell the employee without delay and, at the latest, within one month of receipt of the request. You must give reasons for not taking action. You must tell the employee of the possibility of complaining to the supervisory authority and taking legal proceedings.

Except in clear circumstances and in which you are confident you can justify a decision not to take action on a request (as might be the case if you are not the controller), you should engage with the employee and seek to limit the request.

For more information on data subject access requests, speak to employment lawyer Karen Cole today.

Note: This article is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • When charity shouldn’t begin at home
    The downfall of the Captain Tom Foundation is a cautionary tale of what happens when a charity gets too close to home — highlighting the complexities of charity governance and accountability in the sector. The foundation, created to continue the fu


    Read more

  • Six tips to make things simple for your executors
    An executor is legally responsible for carrying out the instructions set out in a will.


    Read more

  • Staying ahead in a changing legal landscape
    Regularly reviewing employment contracts and policies is essential for legal compliance and risk mitigation. Stay updated on legislative changes, workplace trends, and best practices to protect your business and employees.


    Read more

  • RIAA Barker Gillette (UK) acts for Alexander Nix in Commercial Litigation
    Press Release


    Read more

  • New sexual harassment rules may signal changes to office parties or a decline altogether
    Tomorrow is expected to be one of the busiest nights for office Christmas parties this year. While these celebrations are a staple of the festive season, offering a chance for colleagues to unwind and bond, they also bring unique challenges for emplo


    Read more

What they say...

  • Mikaela, February 2025
    “Martin was brilliant – so professional and personable. He clearly has a lot of expertise, and we always felt were in safe hands. He’s always available to speak on the phone, and is incredibly patient and reassuring. He worked effic

  • Bibiana Farenzena, February 2025
    “Victoria Holland and Evangelos Kyveris I want to thank you for your involvement and efforts on this case. You have been immensely helpful, and I appreciate all your knowledge and advice regarding this matter.”

  • Dabid Shaw, February 2025
    “Excellent , personalised one to one client care. Options laid out in a comprehensible manner. Fees appropriate for service provided.” Herman Cheung

  • Michael, February 2025
    “Martin was great to work with, despite a very difficult first buyer, second time round was the charm! Thanks to Sharon too.”

  • Annette, February 2025
    “We contacted RIAA Barker Gillette to get our wills arranged. Herman was professional & helpful with all aspects of the process. He explained everything clearly, notified in writing everything we discussed & answered the many questions

Read more
Send this to a friend