Under the General Data Protection Regulation (GDPR), employees have the right to request and obtain a copy of their personal data held by their employer, or former employer. This is known as making a data subject access request (DSAR).
The GDPR places strict compliance requirements on employers to deal with subject access requests. While the requests may in some cases appear onerous, failure by the employer to comply with a request in the correct manner and within the relevant timeframe can have serious repercussions for an organisation.
In this guide for employers, we look at how subject access requests from employees should be handled and the steps you can take to minimise the risk of non-compliance and penalties for your organisation.
What does the law say about subject access requests?
Under the UK GDPR and the Data Protection Act 2018, all individuals have the right to ask an organisation what personal data they hold about them and to obtain a copy of that data, as well as other supplementary information. This is called a data subject access request (DSAR).
In the context of the workplace, data subjects can include existing employees, former employees or even job applicants. The purpose of the right of access is to help individuals understand what personal data is being held about them, how and why an employer (or former employer) is using this data, and to ensure that their data is being processed lawfully.
The employer’s duty to comply with a request extends to any personal data retained by their organisation. Any information held about employees, provided they’re identifiable and the information relates to them as an individual, can constitute personal data for DSAR purposes. This can include information contained in HR records, pension records, or even internal communications and emails where the employee is specifically referenced.
Can employers refuse to comply with subject access requests?
The legislation recognises that organisations might have a legitimate reason for not complying with a DSAR, providing a number of exemptions to reflect this. Where an exemption applies, an employer may refuse to provide all or some of the requested information. Employers can also refuse to comply with a subject access request if it is manifestly unfounded or excessive.
However, each request should be considered individually, on a case-by-case basis, after careful consideration of all the facts. Employers must not routinely rely on exemptions or have a blanket policy on refusal. They must also document their reasons for refusing any request.
There are multiple exemptions set out under the DPA, including where personal data is processed for crime and taxation-related purposes, where data is subject to legal professional privilege, or where data is processed for management planning purposes and complying with a request would be likely to prejudice the conduct of the business.
However, the exemption most likely to apply in practice is where complying with a request would mean disclosing information that identifies another individual. Where it isn’t possible to redact the information that identifies the third party, the employer doesn’t have to comply with the employee’s request, except where the other individual consents to the disclosure or it is reasonable to comply without their consent.
In determining whether it’s reasonable, a balancing exercise will need to be undertaken between the requesting employee’s right of access and the third party’s rights. The employer will need to take into account the type of information they would need to disclose about the third party, any duty of confidentiality owed to that party and what steps have been taken to seek their consent. The employer must be able to justify their decision to disclose or withhold information about a third party, so they should keep a record of what they decide and why.
Manifestly unfounded or excessive
In assessing whether a request is manifestly unfounded or excessive, there are a number of factors an employer should consider. This could include where a request is repetitive in nature or, in certain circumstances, where the request relates to large amounts of data.
If a request largely repeats a previous request but a reasonable interval has elapsed, the request is not necessarily manifestly unfounded if the nature of the data is likely to have changed between requests. Equally, a request is not necessarily manifestly excessive just because an employee requests a large amount of information. However, the employer is entitled to assess whether the importance of providing access to the information is proportionate when balanced against the burden or costs involved in dealing with the request.
How to deal with subject access requests
A DSAR can be made either by the employee or by a third party on their behalf, and it does not have to be directed to a specific department or point of contact within the employer’s organisation. It can also be made verbally or in writing, including by email or even via social media.
It is advisable for employers to specify a preferred method of contact, typically within an organisational data policy (see below), to ensure the requests are received by appropriate members of staff.
Having received a subject access request from an employee, reasonable efforts should be made by the employer to find and retrieve the requested information. Where appropriate, the employer must then provide the employee with a copy of their personal data in an accessible, concise and intelligible format, together with details of how the employee’s personal data is collected, used and disposed of. The requested information must also be disclosed securely.
When deciding what format to use, the employer should consider both the circumstances of the request and whether the employee has the ability to access the data provided in that way. If an employee makes a request electronically, unless they request otherwise, the employer should provide the information in a commonly used electronic format.
The employer should keep a record of the date the employee made the request, the date of their response, details of who provided the information and what information was provided.
Employers cannot usually charge a fee to deal with subject access requests, although a fee to cover the administrative costs of complying with a request can be made if it’s manifestly unfounded or excessive, or if an employee requests further copies of their data.
Subject access request time limit
An employer must respond to a subject access request without undue delay and, at most, within one month of receipt of the employee’s request. This time limit can be extended by an additional two months, but only if the request is complex or the employer has received a number of requests from an employee. The employer must also let the subject know within one month of receiving their request and explain why the extension is necessary.
If an employer holds a large amount of information about an employee, they can ask them to specify the particular information or processing activities to which their request relates. The time limit for responding to the employee’s request will then be paused until clarification has been received. The employer may also need to ask for information to verify the person’s identity, especially in respect of former employees, where again the timescale for responding won’t begin until that information has been received. However, any clarification or ID documents sought should be requested promptly by the employer.
If an employer decides not to comply with a subject access request, they must still notify the employee, providing reasons for their refusal, within one month of receipt of the request. The employer must also explain the employee’s right to make a complaint to the Information Commissioner’s Office or, alternatively, of their right to take legal action.
Subject access request legal risks
There are various practical and legal challenges involved in dealing with subject access requests from employees, not least because no DSAR is the same. This means that there are a number of potential ways in which an employer can fall foul of the law, including:
Failing to recognise when a subject access request has been made: as requests can be made in various different ways to any part of an employer’s business, this can make it extremely difficult for employers to determine when a request has been made. In some cases, the employer may not necessarily recognise or be notified of a subject access request.
Failing to respond within the prescribed time limits: data held on an employee, or former employee, may be stored in multiple electronic or manual filing systems, making it difficult for the employer to locate and retrieve the requested information. Even though the time limit can be extended where clarification is needed as to the specific information sought, the employer must still act promptly in seeking clarification from the employee.
Failing to provide a response to the right person: prior to responding, the employer must take steps to verify the identity of the employee making the request so that personal data is not sent to the wrong person. In the case of current employees, this will usually be straightforward, although mistakes can easily be made for former employees.
If an employer fails to comply with a subject access request, or is otherwise in breach of the rules, an employee may lodge a complaint with the Information Commissioner’s Office (ICO). The ICO may then investigate the complaint and take enforcement action against the employer. An employee can also apply to the civil courts for a court order requiring the employer to comply with the request and to pay them compensation.
Managing legal risks
Whether or not an employer receives subject access requests on a regular basis, it’s important to take a proactive approach so that any requests can be dealt with effectively and in a timely manner. The way in which an organisation manages subject access requests can differ, depending on the size and resources of the business, and the personal data held. However, all employers should have in place a written policy for making and handling these requests.
A DSAR policy can instruct staff on how to report and, where authorised, to respond to requests. In this way employers can help to ensure that requests are dealt with correctly, consistently and within the prescribed time limits. Written guidance will also encourage employees making a request to direct this to the right person, for example, a designated data protection officer, and provide the right information needed to deal with their request.
A DSAR policy should typically include:
- the purpose of the policy
- the employee’s rights and employer’s obligations
- how employees can request personal data
- how to recognise a subject access request
- when the right of access applies
- how to record requests made verbally
- how to report requests to members of staff authorised to deal with a request
- how to lawfully respond to a request
- what supplementary information needs to be provided
- the time limits for responding
- when and how a request can be lawfully refused
- how to keep records of requests and what to include.
Employers must also have suitable information management systems in place across their organisation, allowing them to locate and retrieve information efficiently, and to provide that information securely, in the correct format and without undue delay.
DavidsonMorris’ HR advisers and employment lawyers support employers with all aspects of legal compliance, including handling data subject access requests. For specialist advice, contact us.
Subject Access Request FAQs
Can an employer refuse a subject access request?
An employer can refuse a subject access request where an exemption applies, for example, where complying with a request would mean disclosing information which identifies another individual, or where a request is manifestly unfounded or excessive.
Are emails included in a subject access request?
Any data held about a person, including information in emails, provided the requester is identifiable and the information relates to them as an individual, will usually constitute personal data for the purposes of a subject access request.
What can an employee request under GDPR?
Under the UK GDPR and Data Protection Act, employees can request what personal data an employer holds about them and to obtain a copy of that data, as well as other supplementary information. This is called a subject access request.
Can a company ask for a subject access request?
A company cannot usually ask an individual to make a subject access request (SAR). This is known as an enforced SAR. If disclosure is required of someone’s criminal or health records, there are appropriate channels for accessing this information.
Last updated: 17 September 2021