If an employee asks for a copy of their "personnel file" is the employer obliged to supply all the information held on the employee?
Under the General Data Protection Regulation (2016/679 EU) (GDPR), individuals are entitled to submit a request for access to any personal data that the employer holds about them, ie any information from which they can be identified, directly or indirectly. The GDPR covers personal data held on a structured manual filing system as well as computerised data. The employer must comply with such a request by providing the individual with a copy of the personal data requested.
There are some exceptions to an individual's right of access to personal data. One exception to the employer's duty to disclose personal data is where the information requested is for the purpose of management forecasting or management planning, and where disclosure could prejudice the employer's interests. The other main exception is where disclosure of the information would reveal personal information about a third party who can be identified from the information. In this case, the employer should not automatically refuse to disclose the information. Instead, it should seek either to redact the relevant documents to conceal the identity of the third party or to seek their consent to the disclosure of the information. The employer can disclose the data without the consent of the third party if it would be reasonable in all the circumstances to do so. What is reasonable will depend on the duty of confidentiality owed to the third party, any steps that the employer has taken to seek their consent and whether the third party is capable of giving consent or has expressly refused consent.
The employer must respond to a subject access request without "undue delay" and at the latest within one month of receipt of the subject access request. If the request is complex, the employer can extend the time limit for responding to three months.