Subject Access Requests under the GDPR: What employers need to know
During the course of the employment relationship or after the employment relationship has ended, an employer may receive a subject access request from an employee. Employees tend to make a SAR request when they have a grievance.
The law relating to data protection has recently been updated as a result of the EU General Data Protection Regulation (GDPR),which was adopted in May 2016 and automatically came into effect in the UK on 25 May 2018.
What is a SAR?
SARs entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.
Why has the law changed?
It is generally accepted that the last few years has seen a growth in peoples’ awareness of their rights, including their right to privacy, and the GDPR seeks to update the law in line with that. This is especially relevant given the awareness of data being held digitally.
What has Changed?
There are a few notable changes to the operation of SARs:
- Fee: An organisation should not normally charge for complying with an SAR. However, if numerous requests are made for the same information, a reasonable administrative charge may be applied.
- Method of Request: SAR’s may now be made in any form (including orally and by electronic means) and it is generally considered that the response should be in a similar form to the request, unless specified otherwise (e.g. electronic requests be responded to electronically).
- Response Time: A response should be given within a month of the request. This may be extended (by another two months) for complex requests, but the employer should notify the person making the request of this extension.
- Content of Response: Individuals should be able to discover what information is being held about them and the processing of that information. It may also be necessary for the controller to give details of the retention period of the data and the right to correct inaccurate data.
- Refusal of Request: There are limited reasons for refusal of SARs, which include the withholding of data if it would “adversely affect the rights and freedoms of others”or if the request is ‘manifestly unfounded or excessive’. For example, if a vague request is made, and the result is that the response would be very large, it is not unreasonable to deal with it by seeking clarification of what is being asked for, which also has the effect of pausing the clock for that request.
Responding to a Request
The GDPR is aimed at simplifying and easing the process for anyone to obtain the data held on them. As noted above, organisations must now respond more quickly and provide more information than previously. Whether or not you will be handling a large number of requests, it may be beneficial if you organised a GDPR-compliant approach to SARs.
What if an employer fails to comply?
If an employer fails to meet the deadline or provide employees with access to all the data they request they could be exposed to significant penalties.
The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, reprimands, ordering compliance and imposing large fines.
This is the second of three phases of changes to data protection law. The schedule for the changes is:
- The law prior to 25 May 2018 (pre-GDPR);
- The law after 25 May 2018 but before 11pm 29 March 2019 (post-GDPR but pre-Brexit); and
- The law after 11pm 29 March 2019.
It is important to note that upon leaving the EU, the UK has currently (provisionally) agreed a transition period in which it will continue to be bound by the GDPR from 30 March 2019 up to 31 December 2020 but unless this is formalised, the UK will become a ‘third country’ for data protection purposes at 11pm on 29 March 2019, and this may bring with it further obligations relating to subjects’ data and how it is being stored and/or processed.
For more information about how to comply with the GPDR, SARs please contact us on 020 7903 6888 or email firstname.lastname@example.org.
The material contained on this website contains general information only and does not constitute legal or other professional advice and should not be relied upon as such. While every care has been taken in the preparation of the information on this site, readers are advised to seek specific legal advice in relation to any decision or course of action.