Data subjects have the right to:
- obtain confirmation that their personal data is being processed
- access the data, including receiving a copy of it
- be provided with supplemental information about the processing
Subject access requests
They can access this by making a ‘subject access request’. These are usually requested when a matter is before an Employment Tribunal or during internal investigations as part of disclosure.
Subject access request fees
With regards to subject access requests, the current £10 fee has been removed but if a request is ‘manifestly unfounded or excessive’, you can charge a fee. What amounts to ‘manifestly unfounded or excessive’ has not been defined, and we may have to wait for guidance from the ICO to get some clarification.
Deadlines for responding
The deadline for responding has changed. Employers must now respond to requests ‘without undue delay’ and at least within one month.
There is a possibility to extend this by a further two months so long as the employee is kept informed before the month’s expiry about the extension and the reasons why further time is required. This will usually be the case if the request is particularly complex or the documents to be provided are voluminous. The employee must also be given an updated timeframe for response.
What personal data should we provide?
In terms of the information that should be provided, GDPR says that that ‘a copy of the personal data’ that is being processed. This can include all the usual pieces of information but also wherever the data subject’s name is mentioned, for example, in emails, provided there is some other pertinent or identifying information mentioned too.
In addition, you should provide supplemental information such as the purposes of processing the information, the categories of data processed, the recipients of any personal data, the envisioned retention period and the individual’s right to erasure.
We are still awaiting further ICO guidance on this topic and anticipate we will receive this in early 2018.
What should HR professionals do?
- Develop template response letters to subject access requests to ensure that all elements of supporting information is provided
- Assess your organisations ability to collate, retrieve and provide data in compliance with GDPR