Employer queries regarding data subject access requests

What are data subject access requests?

The Data Protection 1998 provides that employees can act as ‘data subjects’ which allows them to make data subject requests in regard to information that may be held about them.

These requests are straightforward to make; however, they can become time consuming and complex for the employer.

The sole purpose of data subject access requests is to allow the individual to certify that their information is being processed duly and in line with the Data Protection Act.

However, many employees have been suggested as using these requests as a way of ‘fishing’ before legal action.

What is classed as personal data?

Under the Data Protection Act, personal data is defined as “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with their information that is in, or is likely to come into, the possession of the data controller.”

In simpler terms, it is information that concerns the individual in his/her personal, family, professional or business life.

What forms a binding data subject access request?

In the first instance, a valid request should be in writing. Those who hold the data can request that a fee of up to £10 is paid in the first event before the data will be released.

It is important that employers are satisfied with the identity of the person requesting the data. It should not be automatically assumed that the individual requesting the data is who they say they are.

When asking for proof of identity, this must be reasonable. Reasonable requests include requesting that the subject shows you their passport or drivers licence.

In addition, some requests may come through third parties such as the employees doctor or solicitor. As the person who holds the information you must be satisfied that the request has been sanctioned by the subject. In this instance, you may ask that the employee provides you with authority in writing before you release the request.

What data can an employee request?

The ICO code of practice states that an individual is entitled to be:

– Told whether any personal data is being processed;

– Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people;

– Given a copy of the personal data and;

– Given details of the source of the data (where this is available)

The ICO code of practice states further “an individual can also request information about the reasoning behind any automated decisions taken about him or her, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work.”

What is the time limit when responding to a request?

The ICO Code of Practice states employers must respond to access requests promptly and within 40 days of receiving the request.

How can we help?

At Employment Law Services (ELS), we will work together with our clients to ensure they are fully protected and prepared for the new regulation to take effect in May 2018. If you have any specific queries about the impact this may have on your business or wish to contact us for a free consultation call us today on – 0800 612 4772.