In Brief - Subject Access Requests
09 April 2014
Employers today hold increasing volumes of personal information in relation to their employees. Given that such information is no longer solely held on manual personnel files, but is nearly always also held electronically, employers must ensure that they have policies and procedures in place to ensure that the personal data of employees is being processed correctly.
This is particularly important in the context of subject access requests. The Data Protection Act 1998 (DPA) allows employees to make a subject access request to their employers in relation to personal data held about them. As mentioned above, there is an array of employee personal data, both in hard copy and electronic form which employers will typically hold. This may include for example, personnel files (whether in electronic or hard copy), email other correspondence containing employee details or financial information. Employers should also note that they can receive subject access requests not just from their ‘direct’ employees but also from other categories of workers for whom they hold personal data including any contractors, consultants, agency workers or even volunteers whose information they process.
Section 7 of the DPA provides that under a subject access request, individuals are entitled:
“ (a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of—
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed”.
When a subject access request is made, they should be in writing (although employers can choose to respond to verbal requests they are under no obligation to do so). Once a request is received employers have forty days within which to respond.
Upon receipt of a response employers should consider the following:
- Identity: Who is making the request? Employers should carry out appropriate checks to verify the identity of the individual making the request and confirm that they are the person to whom the personal data requested relates. In the event that a third party makes a request on behalf of an individual, employers should ensure that they provide the requisite authority proving they are acting on behalf of the individual concerned.
- Fee: Whether the employer wishes to charge a fee. The current maximum fee you can charge for a subject access request is £10.
- Scope of Information: What information exactly does the employee require? Section 7(3) of the DPA provides that where a data controller reasonably requires further information in order to locate the information requested, the data controller is under no obligation to comply with the request until they are supplied with that further information. The Information Commissioner’s Office (ICO) have produced guidance entitled ‘Subject access code of practice’ which provides that, in responding to a subject access request, even if the relevant information is difficult to find and retrieve the data controller cannot delay in responding unless they ‘reasonably’ require further information in order to do so.
Section 8(2) of the DPA provides that the obligation to respond to a subject access request is not enforceable if supplying the information would involve a ‘disproportionate effort’ on behalf of the data controller. The DPA does not go into detail about what this might involve however in their guidance the ICO stress that the exemption should be used only in exceptional cases.
- Personal Data: Section 7 of the DPA provides for ‘personal’ data only. Employers should consider what personal data do they hold in relation to this individual. Briefly, the DPA defines ‘personal data’ as “data which relate to a living individual who can be identified from those data”
- Exemptions: Once employers have identified the personal data that they hold, they should consider if that personal data falls within one of the exemptions of the DPA. Section 7(4) provides that where a data controller cannot comply with a subject access request without disclosing third party information, then the data controller does not have to comply with the request unless (i) the third party has consented to the disclosure of the information; or (ii) it is reasonable to comply with the request without the third party’s consent. Section 7(6) provides guidance that in deciding whether or not it is reasonable to comply with the request in the absence of third party consent, regard must be had to (i) any duty of confidentiality owed to the third party; (ii) any steps taken by the data controller to seek consent; (iii) whether the third party is capable of giving consent; and (iv) any express refusal of consent by the third party.
Other exemptions, which the employer should take into consideration when deciding whether or not to respond to a subject access request are set out in Schedule 7 of the DPA include; confidential references given for employment or educational purposes; personal data including information relating to management forecasts; personal data relating to negotiations between the parties and legal professional privilege.
In any event, employers should ensure that they are processing any personal data they hold in accordance with appropriate legislation, and in particular in accordance with the eight data protection principles. Specifically where subject access requests are made, it would be prudent for employers to have specific procedures in place to ensure that in the event of such a request they are as prepared as possible to respond appropriately within the statutory timetable imposed by the DPA.