Editor's message: Data subject access requests are an important part of the data protection regime. Individuals have the right to make data subject access requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it.
As an HR professional, you are likely to come across subject access requests from employees, job applicants and former employees. This could be in the context of a dispute; for example an employee could ask to see all the notes and witness statements relating to his or her grievance or disciplinary proceedings. Or it could be a request from an unsuccessful job applicant, perhaps who suspects that he or she has been discriminated against.
With the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, you will need to be ready to respond more promptly to a subject access request than under the previous Data Protection Act 1998 regime, and you will need to provide more information about the personal data you process. Publicity around the introduction of the GDPR may well result in a higher volume of requests, as people become more aware of their personal data rights.
To avoid attracting the attention of the Information Commissioner you will need to have appropriate procedures in place for responding to subject access requests relating to HR data.
Susie Munro, senior employment law editor
Updated to take account of verbal subject access requests, which ICO guidance states are valid.
Updated to include a reference to the Government's consultation on exemptions from ICO fees.
Updated to reflect ICO guidance on verbal subject access requests.
HR and legal information and guidance relating to data subject access requests.