If an employee asks for a copy of his or her "personnel file" is the employer obliged to supply all the information held on the employee?
Under the General Data Protection Regulation (2016/679 EU) (GDPR), an individual is entitled to submit a request for access to any personal data that the employer holds about him or her, ie any information from which he or she can be identified, directly or indirectly. The GDPR covers personal data held on a structured manual filing system as well as computerised data. The employer must comply with such a request by providing the individual with a copy of the personal data requested.
There are some exceptions to an individual's right of access to personal data. One exception to the employer's duty to disclose personal data is where the information requested is for the purpose of management forecasting or management planning, and where disclosure could prejudice the employer's interests. The other main exception is where disclosure of the information would reveal personal information about a third party who can be identified from the information. In this case, the employer should not automatically refuse to disclose the information. Instead, it should seek either to redact the relevant documents to conceal the identity of the third party or to seek his or her consent to the disclosure of the information. The employer can disclose the data without the consent of the third party if it would be reasonable in all the circumstances to do so. What is reasonable will depend on the duty of confidentiality owed to the third party, any steps that the employer has taken to seek his or her consent and whether the third party is capable of giving consent or has expressly refused consent.
The employer must respond to a subject access request without "undue delay" and at the latest within one month of receipt of the subject access request. If the request is complex, the employer can extend the time limit for responding to three months.