When employees are let go, what sometimes follows is a request by the employee for their personal data from the employer. This personal data can then be used as ammunition for the employee to support any legal claims that they may have against an employer. So, if any such request is made, what are the rules of engagement for both employees and employers regarding the disclosure of personal data?
What is a Subject Access Request?
Under the General Data Protection Regulation, individuals are given the right to access the personal data that a company or employer holds about them and ask questions like, ‘why are you holding this?’, ‘where did you get this information from?’, and ‘who are you disclosing it to?’.
A subject access request (SAR), although it must be in writing, does not have to be presented in a particular form, and it does not have to include the words ‘subject access’. The requester could even mistakenly cite the Freedom of Information Act to justify the request, in which case the employer would still need to treat the request as a SAR.
Five Things to Consider If You Are an Employee Making a SAR
1. How to make a SAR
Your employer cannot force you to submit a SAR in a format or structure that they prefer. As long as your request is in writing (or even an email), then your employer will have to respond to it.
It might, however, be useful to specify a few pieces of information in your SAR; for example, tell them the information you need and any relevant dates, give your contact details, and reference the one-month deadline that your employer will need to comply with.
The time in which your employer should respond in most cases should be promptly, but in any event, your employer must respond within one month of receiving your request.
2. Disabilities
Your employer has a legal duty to make reasonable adjustments for you if have difficulties communicating in writing or otherwise. For example, if you are more comfortable expressing a request orally, in braille, or in sign language, then your employer still needs to treat the request as a SAR. So, know your rights and do not let a disability stop you from obtaining what you are entitled to.
3. Copies and proof
It is always useful to have a record of your request and send it by recorded delivery or email. This evidence could be invaluable if your employer is refusing to give you a copy of your information and you need to make a complaint to the Information Commissioner’s Office (ICO).
4. Fee
Making a SAR is free of charge! Even if your employer is trying to charge you a small fee, you can remind them that SARs can be made free of charge as of 25 May 2018; you could even make a note of this in the SAR itself.
5. Where can you find out more if you’re an employee?
You can find out more from the Subject Access Code of Practice which this article reflects.
The Code has not been updated since the Data Protection Act 2018 became law but provides useful guidance. The Code may change based on GDPR case law that will continue to develop, and the commentary on employer duties below reflect the Code.
Five Things to Consider If You Are an Employer
1. Receiving a SAR
Once an employer receives a SAR, they must:
i) confirm if the employer processes the personal information of the data subject;
ii) provide information about the data processing; and
iii) provide a copy of the personal data that is being processed.
This is the case, unless of course you decide you cannot provide them a copy of their data or you wish to extend the time you have for processing the request. If this is the case, you must inform the data subject of this promptly, with an explanation.
2. Extensions
If you, as an employer, want to extend the one-month time limit, you must inform the data subject within one month of receiving the request and give an explanation detailing why the delay is necessary. This could buy you potentially an extra two months where the requests are complex.
3. Identification
Always be sure that you, as an employer, know the identity of the requester! You can ask questions to help identify the person, but be reasonable. The level of precaution you take here should match how much distress could be caused to the individual if the information were to be incorrectly disclosed.
4. Third-party information
In some situations, a data subject will request to be given information that contains the personal information of a third party. How do you respond to this?
Step 1: Consider if the information request strictly requires the information that identifies the third party to be included. Could the third-party information be redacted?
Step 2: If you cannot separate the information of the data subject and the third party, decipher if the third party has consented to the disclosure.
Step 3: If you do not have consent, consider if it is reasonable in all circumstances to give a copy of the requested information without consent. Think here about the duty of confidentiality owed to the third party, the steps you have taken to obtain their consent, whether the third party is capable of giving consent, and if the third party has refused to give consent, and make a decision based on these considerations.
5. Guidance
It is good practice to have guidance on making a SAR on your company website, along with a form for people to fill in. You cannot, however, force an individual to use your form to make a SAR. It is recommended that you state where the form is to be sent to, highlight the fee/if it is free of charge, specify what information is necessary to obtain the personal data, and give details of a contact for the data subject to use to ask any questions.
Summary
If you are an employee, you can make a SAR and if you are an employer, we recommend that before responding to a SAR, you check to ensure that you are in compliance with all the relevant rules and that you are putting together the best response for your employee.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.