Editor's message: Data subject access requests are an important part of the data protection regime. Individuals have the right to make data subject access requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it.
As an HR professional, you are likely to come across subject access requests from employees, job applicants and former employees. This could be in the context of a dispute; for example an employee could ask to see all the notes and witness statements relating to his or her grievance or disciplinary proceedings. Or it could be a request from an unsuccessful job applicant, perhaps who suspects that he or she has been discriminated against.
The General Data Protection Regulation (GDPR) requires you to be ready to respond more promptly to a subject access request than was the case under the previous data protection regime, and you will need to provide more information about the personal data you process. Publicity around the GDPR may well result in a higher volume of requests, as people become more aware of their personal data rights.
To avoid attracting the attention of the Information Commissioner you will need to have appropriate procedures in place for responding to subject access requests relating to HR data.
Susie Munro, senior employment law editor
Updated to include information on WM Morrison Supermarkets plc v Various claimants, in which the Supreme Court considered if the employer was vicariously liable for an employee's personal data breach.
Updated to flag up ICO guidance on the definition of a "manifestly unfounded" or "excessive" subject access request.
Updated to reflect new ICO guidance on when a request may be manifestly unfounded or excessive.
Updated to take account of verbal subject access requests, which ICO guidance states are valid.
HR and legal information and guidance relating to data subject access requests.