Editor's message: Data subject access requests are an important part of the data protection regime. Individuals have the right to make data subject access requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it.
As an HR professional, you are likely to come across subject access requests from employees, job applicants and former employees. This could be in the context of a dispute; for example an employee could ask to see all the notes and witness statements relating to his or her grievance or disciplinary proceedings. Or it could be a request from an unsuccessful job applicant, perhaps who suspects that he or she has been discriminated against.
The UK General Data Protection Regulation (UK GDPR), sets out strict time limits and requirements for the information you must provide when responding to a request.
To avoid attracting the attention of the Information Commissioner you will need to have appropriate procedures in place for responding to subject access requests relating to HR data.
Susie Munro, senior employment law editor
HR and legal information and guidance relating to data subject access requests.