A subject access request (SAR) is a request that can be made by an individual under the General Data Protection Regulation to see the data a company holds in relation to them. It’s important that you are aware of what your obligations are as an employer, particularly as the number of employees submitting SARs is on the increase.
Why would employees want to see this type of information?
Unfortunately, more often than not you’ll find employees making a SAR when they’re not happy with the way a formal process (typically a grievance, disciplinary or redundancy situation) has been conducted. There’s a strong possibility it might be to build a case which is leading towards an employment tribunal claim. It could also arise when an unsuccessful job candidate is seeking data to see if they were refused the role because of a protected characteristic and whether they could potentially have a tribunal claim.
What should you do if you receive a subject access request?
If you receive a SAR, you (or whoever is your designated data controller) must respond appropriately. So what does that entail?
There’s no escaping the fact that it’s a time-consuming process. Be aware that in most cases you only have a month to respond (defined as the corresponding calendar date in the next month) from the date the request was made. It’s possible to extend the deadline by another two months depending on the level of complexity and number of requests being made by the same person.
But even so, you must make sure the person who has submitted the request (known as ‘the data subject’) is informed about the extension and why it’s been asked for – and that must happen within the first month. Don’t rely on being able to extend the deadline – in most instances, you’ll need to provide the information requested within the month.
Ordinarily, you cannot charge a fee for providing this information (unless additional copies of the same information have been requested). There are however further exceptions to this rule – more on that shortly.
What information do you need to provide?
You’ll need to identify all the data the employee has requested in their subject access request- and that is a vast job. It can be an incredibly stressful one too, particularly when you’re busy dealing with other business priorities. Tracking it all down and pulling it together can involve quite a few employees and tie up an awful lot of your resources.
It gets even more complicated as you must then identify if the data falls into a category that does or doesn’t have to be released to the employee. You must also redact data that identifies other people.
All responses you provide must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Make the employee aware of the reasons for any data not provided and advise them of their rights to make a complaint to the Information Commissioner’s Office.
What happens if you do nothing with the subject access request?
This is definitely not an advisable approach.
You must respond to the request, even if it’s to ask for clarification if the request is very broad. If the employee has already made several requests of a similar nature it might be deemed to be a “manifestly unfounded or excessive” request which is effectively trying to cause trouble and disruption.
The burden is on you to decide if that’s the case (the ICO website provides guidance to help you). If you decide to refuse to comply with the request you must tell the individual why, and advise them of their associated rights, within the one month deadline. Alternatively, you might decide to comply but in these circumstances, you can charge a ‘reasonable’ fee that reflects the level of administration needed.
Is there anything you can do to be prepared in case you’re suddenly faced with a subject access request?
It would be sensible to consider carrying out a monthly data housekeeping exercise in line with your data protection policy. Initially, it will take up some time but it can be done in a more managed way and to your timescale. By running through the process and making sure managers and employees who need to be involved with it are familiar with what it entails, it should run more smoothly if you’re suddenly called upon to do it for real. We’d advise working through a scenario where an employee requests all data held about them.
- Identify all locations where data could be held.
- They could include: email accounts and folders, documents and spreadsheets on desktops and laptops including archived and trash folders, cloud-hosted locations, back-up folders, personnel files (digital and hard copies) and other HR systems, phone text and other app messages, and handwritten notes.
- Be aware of the implications of remote working – data could be stored on an employee’s personal laptop for example.
- Delete any data that is no longer relevant.
You’ll find more information about your obligations here. If you feel you need further guidance about how to comply and reduce the risk to your business, please call us on 01455 231982 or get in touch via our contact page.