Under the Data Protection Act, employees can ask to see any personal data about them that their employers hold. These are called Subject Access Requests (SAR), and can create potential legal problems for employers. What are the risks around SARs? And how employers should handle them?
The Risks
A SAR will likely be time-consuming and costly to an employer. They may need to look through a lot of data in order to find all of the information required.
SAR?s can also be risky for employers if there is legal action (or the threat of legal action) against the employee who makes the request. Failure to properly respond to an SAR can become a factor in Employment Tribunal cases. In addition, employees could potentially use SARs to uncover unfavourable evidence for Tribunal Cases. For example, emails demonstrating that a redundancy dismissal was actually motivated by performance issues could create problems for an employer.
Handling a Subject Access Request
It is crucial that employers deal with SARs as soon as possible, as they should be replied to within 40 calendar days. You should check that the request has been made correctly as 40 day countdown will not begin until this is done.
You should review what kind of data is requested. In some cases, the data requested will be extremely wide and an employer has?the right to go back and ask the employee making the request to narrow their search.
It is also important to consider if the data requested will contain any information about third parties. This information might need to be redacted.
Employers should also establish what the information requested is about. Individuals are only entitled to access information that is 'personal data' not information about other people (unless someone is acting on behalf of a person) or information they happen to be interested in. You can ask an employee making a SAR to provide enough information in order to establish if they are the individual that the personal data is about. You can also ask for information you might reasonably need in order to fulfil the SAR (for example asking for dates of specific emails).
It is also important to remember that certain information is excluded from SARs: for example documents covered by legal privilege (i.e. between solicitor and client).
The future of Subject Access Requests
Although the timeline of the UK's future position in the EU is not clear, it is highly likely that The General Data Protection Regulation (GDPR) will need to be enforced in UK law before the UK leaves the EU.
The GDPR became part of UK law in May 2018 and will mean changes for how SARs are handled. Information will generally need to be provided free of charge (where before it was possible to charge a £10.00 fee). In addition, the 40 day time limit will be lowered to one month. However extensions may be possible.