Editor's message: Data subject access requests are an important part of the data protection regime. Individuals have the right to make data subject access requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it.
As an HR professional, you are likely to come across subject access requests from employees, job applicants and former employees. This could be in the context of a dispute; for example an employee could ask to see all the notes and witness statements relating to his or her grievance or disciplinary proceedings. Or it could be a request from an unsuccessful job applicant, perhaps who suspects that he or she has been discriminated against.
Now that the General Data Protection Regulation (GDPR) is in force, you need to be ready to respond more promptly to a subject access request than under the previous Data Protection Act 1998 regime, and you will need to provide more information about the personal data you process. Publicity around the introduction of the GDPR may well result in a higher volume of requests, as people become more aware of their personal data rights.
To avoid attracting the attention of the Information Commissioner you will need to have appropriate procedures in place for responding to subject access requests relating to HR data.
Susie Munro, senior employment law editor
Updated to flag up ICO guidance on the definition of a "manifestly unfounded" or "excessive" subject access request.
Updated to reflect new ICO guidance on when a request may be manifestly unfounded or excessive.
We discuss the main changes to the procedure for responding to a subject access request under the GDPR regime and the practicalities of providing access to what could potentially be a large amount of data.
Updated to take account of verbal subject access requests, which ICO guidance states are valid.
HR and legal information and guidance relating to data subject access requests.