Under the General Data Protection Regulation (GDPR), individuals have the right to a copy of the personal data that your organisation holds about them. This is often known as a subject access request (SAR). The Information Commissionerʼs Office (ICO) has recently issued new guidance for businesses and employers about how SARs should be dealt with.
The law
Employers must respond to a SAR from a worker without delay, and within one month from receiving the request. If it is a complex issue, you might be able to extend this for up to two months. But if you donʼt respond within the right timeframe, or at all, there is the possibility of fines or reprimand from the ICO.
In the ICOʼs own words: ʻThe right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law. What we see now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests.ʼ
Getting it right
In practice, though, what does compliance look like? It might sound straightforward, but reality does not always fit textbook scenarios.
To help your staff recognise a request, they need to know that SARs can be made in all sorts of ways: there is no formal procedure needed. Contact can be verbal, in writing – even via social media. Questions as simple as ‘ What information do you hold on me? ʼ or ʻcan I have a copy of the notes from my last appraisal?ʼ count as SARs and need an appropriate response. There is no necessity even to use the words subject access request – it is up to your organisation to identify that this is what is being made.
It’s important, too, that staff know how to respond and who to pass the request to. A valid request can
be made by means of contact with any part of your organisation: it doesnʼt have to be addressed to a specific person. But the employerʼs side of the equation is different, and the ICO does expect you to have a designated person, team and email address to deal with SARs.
With more than 15,000 complaints in this area made to the ICO last year, it is important that businesses and employers get it right. Further details can be found on the ICO website.
Information for readers: This material is published for the information of clients. It provides only an overview of the regulations in force at the date of publication, and no action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the firm.
