Since GDPR, How Do You Respond to Subject Access Requests from Employees?
Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.
Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.
Key Changes Under GDPR
Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:
- Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
- Previously, SARs had to be in writing. Now, verbal requests are possible
- Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
- Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
- The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”
Subject Access Rights under GDPR
When responding to a SAR, you must provide the employee with the following information:
- The purposes for processing the data
- The categories of personal data you process
- The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
- How long you will hold the data
- The employee’s right to request rectification or erasure of data, and to restrict or object to processing
- The employee’s right to complain to the ICO
- The source of any data not provided by the employee
- The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
- The safeguards provided for the transfer of data outside the EEA (if relevant)
If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.
Policies and Procedures
You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.
- On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
- Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
- Employees responsible for dealing with SARs will need training.
Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.
Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.
You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.
Clarifying and Searching
Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.
Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.
The ICO’s Subject access code of practice may be of help.
Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.
Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.
Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.
If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:
- Confidential employment references
- Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
- Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
- Information subject to legal professional privilege
Providing the Data to the Employee
The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.
Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.
For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.