Data subject access requests: Common employer queries

How should employers deal with data subject access requests and how will the process change for employers when the General Data Protection Regulation (GDPR) comes into force in May 2018? Clare Gilroy-Scott, a partner at Goodman Derrick LLP, answers some common questions about data subject access requests.

What are data subject access requests?

Under the Data Protection Act 1998, employees can, as "data subjects", make data subject access requests in relation to information that is held about them.

Data subject access requests are relatively easy to make, but can be problematic and time-consuming for employers.

Although their main purpose is to enable the individual to check that his or her data is processed lawfully in accordance with the Data Protection Act, many employees use requests as fishing exercises prior to legal action.

The Information Commissioner's Office (ICO) has made it clear in its June 2017 code of practice that it is irrelevant if there is a "collateral purpose" to a request.

What is personal data?

"Personal data" is data that relates to a living person who can be identified from the data (or from the data and other information in your possession, including any expression or opinion about the individual or indications of your intentions in respect of the individual).

It is information that relates to the person in his or her personal, family, business or professional life where the individual is the focus or central theme of the information, rather than on some other person or event.

What constitutes a valid data subject access request?

A valid data subject access request will be in writing, but there is otherwise no prescribed form. If you want, you can request a fee of up to £10 and the request will not be valid until this fee is paid.

Employers should be satisfied as to the identity of the data subject. You should not assume that individuals making the request are whom they say they are.

You could ask for a copy of the subject's passport or driving license.

Asking for confirmation of identity has to be reasonable. The request may be from an employee who is already known to you, but it is still advisable to check that the request really has come from him or her and not a nosy co-worker.

Some requests may come through third parties, such as solicitors. This is about providing personal data, so employers will need to be satisfied that the request has been authorised by the individual.

Employers might request a written authority from the employee to supply their personal data to the person making the request.

What can the employee request?

The ICO code of practice indicates that a request in general terms for all information that is held about the employee is still a valid request.

However, the employee should provide sufficient information on the data requested so that the employer understands what is requested to be able to find it.

For example, is the information requested contained in emails, and if so, what was the relevant time period? If the request is not sufficiently clear, the employer can ask for more details to help to locate the requested data.

Is there any information that employers do not have to disclose?

There are some documents that you may legitimately exclude.

Exemptions apply in certain circumstances in relation to the nature of the personal data, or where the disclosure may cause prejudice to a part or function of your organisation.

There must be a "substantial chance" of prejudice, not a "mere risk".

Are there circumstances in which employers can refuse employees' data subject access requests?

Possible exemptions relevant to employees' data subject access requests are:

Management forecasting/planning: If a reorganisation is planned and there are documents that identify the employee, but these also outline the likelihood of certain other employees being made redundant, there may be a substantial risk of prejudice.

A historic process may not fall within the exemption, but you can redact personal information relating to other employees.

Confidential references: A reference, given confidentially, in relation to an employee's employment is exempt from a data subject access request.

However, if the reference is in the hands of the recipient, it is not exempt and so the employee may make a data subject access request to his or her new/prospective employer.

Likewise, the employee can also use a data subject access request to see references that you have received about him or her from a previous employer.

Settlement negotiations: Records of your intentions in respect of settlement negotiations that have taken place (or are taking place) between you and an employee are exempt to the extent that the disclosure would be likely to prejudice those negotiations.

This would cover, for example, a document prepared by the senior management that sets out the highest amount that you would be willing to pay to settle a claim.

Legal advice/proceedings: You do not have to disclose data over which there is legal professional privilege.

This includes confidential communications between client and professional legal adviser and communications between client and professional legal adviser where litigation is contemplated or commenced.

If you rely on an exemption, it is recommended that you explain that information has been withheld and the reasons why.

What is the timeframe for responding to a data subject access request?

You must respond promptly to a valid request and within 40 days of the request. If you have requested a fee, or other reasonably required information, you do not have to respond until this is received.

ICO guidance states that you should not delay requesting a fee or further information just to obstruct the employee.

You cannot exclude data on the basis that it is difficult to access.

The search should be "reasonable and proportionate".

Extensive efforts are required to locate the information, but this does not go so far as requiring that no stone be left unturned.

Can you amend the data?

No, the data should be provided as it was at the date of the request.

What changes are coming up?

From 25 May 2018, the General Data Protection Regulation (GDPR) will give employees (as data subjects) the right to access the personal data that you process on them.

Employees will have to receive a copy on request, unless this would adversely affect the rights and freedoms of others.

The GDPR will also make some changes to the data subject access request process.

If an employee makes a data subject access request, the employer will have to provide a copy of his or her personal data free of charge (but may charge a fee if additional copies are requested).

If the data subject access request has been made electronically, the information will have to be provided electronically.

A "reasonable" fee will be chargeable if the request is excessive or unfounded. This is to cover the administrative costs of complying with the request.

Employers will have to respond within one month of receiving the data subject access request.

This will be able to be extended by up to two additional months by informing the employee within one month of the request of the need for the extension, and the reasons why.

Subject access request: Employer checklist

  1. Is the request a valid data subject access request?
    1. Do you have sufficient evidence of identity?
    2. Do you need more information to locate the data requested?
    3. Do you require a £10 fee?
    4. Is the information requested "personal data" relating to the employee?
  2. If not, respond to the individual requesting a fee/clarification.
  3. Note your 40-day response deadline.
  4. Examine the information and remove duplicates and irrelevant information.
  5. Does the data contain third party information?
    1. Can you redact the information?
    2. Can you seek third party consent?
    3. If not, is it reasonable in all the circumstances to disclose the information?
    4. Notify the employee if dealing with third party information and consents is likely to delay part of the information that you are able to provide.
  6. Consider whether or not there is any exempt data.
    1. Explain your refusal to provide any information.
    2. Keep a record of withheld data and the reasons for withholding the data.
  7. Check whether or not the employee wants hard copies or an electronic copy of the information.
  8. Provide all information in an intelligible and permanent form with a brief description of the scope of the search.
  9. Finally, make a copy of what you send.