With the current economic climate and the likelihood of an increase in employment disputes and redundancies, it is inevitable that we will also see an increase in subject access requests and perhaps a greater number of requests made to the Information Commissioner to investigate the current data protection practices of those businesses.
With this in mind it is crucial that businesses know how to identify a subject access request when it comes in and how to respond to it, so those who run the business can be left to get on with doing just that, running a business.
The Data Protection Act 1998 (the "Act") contains a general right granted to data subjects to be informed by a data controller of whether processing about them is carried out and to have communicated to them in an intelligible form the details of what information they process.
In the employment context, employees often make subject access requests upon leaving their current employer seeking information in an attempt to establish a claim for unfair dismissal or some other claim.
There are some important steps to remember:
- Make sure that those in your business who are the most likely to receive a subject access request (SAR) know what one looks like – the clock is ticking – you only have 40 days to respond to it. Most employees or ex-employees will not tell you that they are availing themselves of their rights under section 7 of the DPA – in most cases they will simply ask for copies of all information you hold about them – this is the essence of a SAR. So beware.
- Make sure that you are able to identify the individual making the request and that you can locate the information requested. If you can't - don't send out anything until you know who you are dealing with – make sure they are who they say they are.
- Data Controllers can charge a fee of £10 for responding to the SAR, if it is your policy to charge then you don't need to respond until you have the fee – but make sure your policy is known and that you adhere to it. Don't be tempted to ask for the £10 simply to delay in providing the information.
- A person making a SAR is entitled to be given information which relates to them, this is called "Personal Data" in the Act. Personal Data can be information held on computer (for example payroll details or even logs of websites visited) and information held on paper where stored in a relevant filing system; however what constitutes personal data is much broader for public authorities. If you are in any doubt as to what constitutes personal data - seek advice.
- If the information you are about to disclose contains information about third parties you will need to get their consent, anonymise the information or be certain that it is reasonable in all the circumstances to disclose. If you are in any doubt as to what a person is entitled to or what to do about third party information, seek advice.
- Finally, if information falls under a number of exemptions, the Act permits the employer lawfully to withhold information which it would otherwise have to disclose. For example personal data which consists of records of the intentions of the employer which relate to negotiations with the individual will be exempt from disclosure where the employer can demonstrate that to disclose such information would be likely to prejudice those negotiations.
It is important to remember that employees and ex-employees have a right of access in law; simply to refuse to deal with a request or not treat the matter seriously will, in most cases, result in the employee or ex-employee referring the matter to the Information Commissioner. The Information Commissioner will investigate complaints and can serve enforcement notices on employers who fail to deal with requests for subject access and can even serve information notices on employers following which the Commissioner can inspect your records.