How to Manage a Subject Access Request

Right of access

Under the original Data Protection Act 1998, individuals have rights of access in relation to the personal data that you hold on them. A request for such information is called a ‘subject access request’. The General Data Protection Regulation, which was introduced on 25 May 2018, also contains a right of access but with some changes. As before, the right permits individuals to see the information that you process about them, not to actually receive a copy of the information. However, it is likely that the easiest way to allow the individual to see the information is by sending a copy of it to the individual.

Personal data

A subject access request must be in relation to an individual’s personal data, including special categories of personal data. Where a request is made for information which is not the individual’s personal data, the request will not be a subject access request and the following rules will not apply. You should make contact with the employee to explain that you are under no obligation to respond to the request as a subject access request. It may, however, be more appropriate to deal with it as a freedom of information request.

“Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including a name.

“Special categories of personal data” includes information relating to:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life or
• sexual orientation.

What data is usually requested?

Usually, employees make a subject access request for information held on their personnel file in the context of a dispute with their employer or an ongoing employment tribunal claim. However, there is no restriction on the scope of personal data that can be requested.

Receiving a request

Subject access requests must be made in writing. Dealing with a request made verbally is not required, however, it is best practice to do so, or at least to explain to the employee how to make a valid written request. In addition, it may be a reasonable adjustment to accept a verbal request where the individual making the request is disabled.

Requests do not need to mention the Data Protection Act nor the words “subject access request” to be valid. No reason for seeking the information must be given for a request to be valid.

You cannot insist that requests are made in a particular format but using a template request form may help the requester include all of the information that you require in order to deal with the request efficiently. A template ‘Subject access request form’ is available in our model documents.

The Information Commissioner also points out that requests that are made via social media, for example Facebook or Twitter, should not be ignored. Because you must verify the identity of the requester, and in some cases you are able to charge a fee, it is likely that other methods of communication will be necessary in any case. Whilst requests may be made using social media, security considerations are likely to make a response via social media inappropriate and alternative means should be sought.

Requests from third parties

Subject access requests may be made on behalf of an individual by a solicitor, for example, or simply someone else whom the individual wishes to act for them. You must ensure that the third party is entitled to act on the individual’s behalf by requiring them to provide evidence of this, for example, a letter from the individual authorising the third party to act on their behalf.

What to do when you receive a request

When you receive a request, you should first ensure that the data requested is personal data relating to the employee. If it is not, for example, if it relates to profit data, then a subject access request is not the appropriate method for a request. You should consider whether the request should be dealt with as a Freedom of Information request.

If the request is general or vague, for example, you are able to ask the employee to be more specific regarding the data they wish to have access to. You may also do this where you process a large amount of personal data in relation to the employee. Your request for further information should not carry the intention of narrowing down the request, although this may in fact be the end result. You may ask them to provide information about the context in which the information about them may have been processed and about the likely dates when processing occurred if this will help you deal with the request.

Where a request is received that does not specify which personal data the employee wishes to be disclosed eg “all personal data relating to me”, or where a large amount of data is processed on the employee, you may ask the employee to be more specific on the data to which the request relates. If the employee offers no more specific a request, you are able to either:

• charge a reasonable fee to comply with the request or
• refuse to deal with the request

on the grounds that the request is “manifestly unfounded or excessive”. Guidance on what “manifestly unfounded or excessive” means is expected shortly.

Verification of identity

hen you receive a request, you may ask an individual to verify their identity if you have reasonable doubts over the identity of the employee. In some circumstances, verification will not be necessary, for example, if the request comes from an existing employee who hand delivers their request to you.

Payment

In a significant shift under the GDPR, you may no longer request a fee from the individual in order to supply information as a standard procedure. The information must be provided free of charge. There are two circumstances in which a fee may be charged:

• if the request is “manifestly unfounded or excessive, particularly if it is repetitive” or
• where further requests of the same information are made.

Guidance on what “manifestly unfounded or excessive” means is expected shortly.

The charge should be set at a ‘reasonable’ amount based on the administrative cost of providing the information.

Time limit

In another change introduced by GDPR, information must be provided without delay, and at the latest within one month of receipt of the request.

Obtaining an extension to time limit

Where requests are complex or numerous, you may extend the normal one month maximum time limit by a further two months, meaning that the overall deadline is three months from the date of receipt. Where you decide to use the extension, you must inform the employee within one month of receipt of the request and give reasons for the extension.

Locating the information

Whilst you have a duty to facilitate the request, you are not required to do anything which is unreasonable or disproportionate to the importance of providing access to the information. You are expected, however, to make extensive efforts to find and retrieve the information requested.

Electronic systems usually allow for relatively efficient locating of data by using search terms and refining by adding parameters on date. Remember you may need to look through information that you have archived. In cases where you have deleted data, you are not expected to attempt to retrieve it. However, emails should not be considered as ‘deleted’ just because they have been moved to the ‘Deleted Items’ folder. It is not likely to be disproportionate to have to look through emails that have removed from your ‘live’ systems.

Where information identifies other people

In many cases, information that must be provided in response to a subject access request will identify people other than the requester. In these cases, you do not need to disclose the information except where:

• the other individual has consented to the disclosure or
• it is reasonable in all the circumstances to comply with the request without that individual’s consent.

You should follow the following three step approach to dealing with information about third parties:

• does the request require the disclosure of information that identifies a third party? Can you redact a document to remove identification of the other party? As the right of access covers access to information only and not to documents, this would be one resolution
• has the third party consented? It is good practice to ask the third party for the consent to the disclosure of their information as part of a response to a subject access request. You are not obliged to get consent and in some cases it will not be appropriate to try to get consent
• would it be reasonable in all the circumstances to disclose without consent? If consent from the third party is refused, for example, you would need to consider whether, in all the circumstances.

Supplying the information

You must send a copy of the personal data in writing to the employee. You may also send it by electronic means and if the request was made by electronic means, your response should be in “a commonly used” electronic form.

You must also send the following information:

• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients to whom data has been or will be disclosed
• the period during which personal data will be retained
• information on the source of the data
• information regarding complaints and disputes: the right to complain to a supervisory authority, the right to request rectification or erasure of personal data, to object to processing of data or to restrict that processing and
• where personal data is transferred outside the EEA, information on any safeguards.

In practice, most of the above information will be included in your privacy notice.

Information can be provided in hard copy or electronically. The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to the information they have requested. The Information Commissioner acknowledges that this will not be appropriate for all organisations but may work well in particular sectors.

You may wish to use our ‘Letter in response to subject access request (GDPR compliant)’ available in our model documents.

Refusing a request

Where you made a decision to refuse to deal with the request, for example, because the request is “manifestly unfounded or excessive”, you must inform the employee without undue delay within one month, giving your reasons. You must also inform them of their right to complain to the Information Commissioner or to take legal proceedings.

For more information and guidance, contact the team of HR Consultants at aspire cambridge today on 01223 855441.