What is a subject access request?
From time to time you may receive requests from members of staff, job applicants and former staff members for access to or copies of “Personal Data” you hold about them (see below). Under the Data Protection Act 1998 (“DPA”), these are known as Subject Access Requests (“SAR”).
There are strict legal requirements with which you will need to comply regarding such requests under the DPA. Furthermore, your obligations extend beyond Personal Data held by you, as an employer, to those held on your behalf by a third party.
Those making a SAR are also entitled to request and be provided with details of:
- the purpose(s) for which their Personal Data are processed
- the recipients to whom that Personal Data may be disclosed
- the sources of that Personal Data
This note and the “frequently asked questions” which follow, provides an overview only of SARs and the applicable legal requirements. Dealing with SARs can be tricky and complex, from identifying a legitimate request, to responding appropriately and within strict timescales. SARs are also being used increasingly as “fishing expeditions” or early disclosure opportunities by potential claimants and their advisors. Responding inappropriately (or failing to respond) can expose the business not only to regulatory enforcement action, fines, and claims from the affected individuals for breach of a statutory duty, but also to adverse publicity or compromise of your position in legal proceedings.
It is strongly recommended that you identify specific individuals within your business to deal with SARs, so that requests can be channelled appropriately and those individuals understand the significance of the task.
A SAR handling policy and procedure should be adopted and training given to those involved. In case of doubt, professional advice should be sought. (Contact details of our own specialist Privacy and Information Law team are provided below).
What is personal data?
So what information might you be required to disclose in response to a SAR as an employer?
‘Personal Data’ is defined in the DPA. It is information which relates to and identifies a living individual, either on its own or when combined with other information held by you as the “data controller”.
Personal Data may be held in a variety of media:
Click here to view image.
Computerised data may be held on a central server, a memory stick or the hard drive of a particular computer. If data has been deleted but is technically recoverable, it may be within the scope of the required searches for the purposes of a SAR.
Paper records will also be within scope if they are in a manual filing system which is structured so as to allow retrieval of the Personal Data by reference to an individual (e.g. an organised system of paper HR records) - although, for public authorities subject to the Freedom of Information Act 2000, even unstructured records may need to be considered for the purposes of a SAR:
Timescales and fee
You are entitled to apply a fee to undertake a search in respect of a SAR. With some exceptions (for example in the respect of health records) the maximum amount that can be charged is normally £10.
Acknowledgement of receipt of a SAR should be provided as soon as possible AND the request considered promptly.
A valid SAR must be responded to within 40 calendar days of receipt of the SAR (or of payment by the applicant of the fee, where it is requested).
Click here to view table.
For some frequently asked questions, see overleaf.
Responding to a SAR
REMEMBER that just because it may be difficult for you to find the requested Personal Data or the search generates a large volume of documents, this is not a valid basis for refusal (although it may affect the extent to which you provide copies).
- the request does not have to specifically mention the DPA or say it is a SAR to be valid, nor to can you compel the use of a specific form to make the request
- the right of applicants is to see their own Personal Data, as opposed to a right to see copies of entire documents that contain their Personal Data. Practically however often the easiest way to provide the relevant information is to provide copies of the original documents.
- you must generally provide a copy of the information to be disclosed in response to a SAR in a permanent form
- it may be appropriate to provide certain information in redacted form. This is often fraught with difficulty and leads to error. It is strongly recommended that redaction of any documentation is undertaken only with specialist advice
- complex terms or information contained in the data which the applicant is unlikely to be familiar should be explained
- you are not obliged to inform the applicant that an exemption applies to some of the requested data or that exempt information has been withheld but it is good practice to do so and to explain the reasons. (For examples of exemptions, see FAQs overleaf).
Some frequently asked questions
Click here to view table.