Under the Data Protection Act 1998 (DPA), both current and former employees have a right to see a copy of the personal data that their employer retains about them. Employees can engage this right by submitting a subject access request (SAR) to their employer.

Employees have a right to:

• be told whether any of their personal data is being processed;
• be given a description of their personal data and the purpose for which the employer processes it;
• be told to whom the employer discloses the information;
• be given a copy of any personal data the employer holds about them; and
• be given any sources of the data where it is possible to do so.

The employer must comply and provide a prompt response within 40 days of the written SAR.  However, the employer’s response may be subject to potential restrictions that would complicate its obligation to comply. For example, the employer’s response obligation may raise thorny issues if the employee’s data includes that of a third party.

It is currently possible for employers to charge a fee for dealing with an SAR, with the usual maximum charge being £10. However, the charge could increase if the employee seeks special categories of data. Employers may also extend the 40-day response period if they need to confirm the identity of the individual requesting the information, or if they need to locate further information that the individual seeks.

SAR under the General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force; employees will continue to have the right to access their personal data. The aim of the GDPR is to allow data subjects to be aware of and verify the lawfulness of processing their personal data.

Under the GDPR it will be free for an employee to submit an SAR. However, employers may charge a “reasonable fee” if they need to take into account administrative costs if the request is tenuous or excessive. The employer may also charge a fee if further copies are requested by the employee. If the SAR request is tenuous or excessive, instead of charging a fee, the employer may refuse to respond to the request. The employer should explain the reasoning for the refusal and inform the employee of his or her right to complain either to the Information Commissioner’s Office or to the court within one month of receipt of the SAR. If the employee follows through with the complaint, the employer should be prepared to demonstrate why the SAR was tenuous or excessive.

Under the GDPR, the employer will have less time to respond to an SAR. Personal data must be provided as soon as possible—typically within one month of receipt of the SAR. It is possible for the employer to extend the period of compliance by a further two months if the SAR is complex and there are a number of requests involved. In such cases, the employer must notify the employee within one month of receipt of the SAR and give reasons for the extension.

Comments

The abolition of the SAR fee will likely increase the number of SARs that employers receive.  Additionally, employers will have less time to respond. Therefore, with the GDPR coming into force very soon, it is important for employers to review and update their SAR systems and procedures so that they are GDPR compliant now in preparation for the May 25, 2018, deadline.

Written by Justin T. Tarka of Ogletree Deakins