How Do You Deal with Subject Access Requests?
How Can You Solve Your Business Law Problems Today?
|
Unsubscribe at any time.
|
By using our online and in person legal coaching you no longer need to fear engaging with business lawyers and law firms and running up huge legal costs.
Sign up now to find out about our events schedule and pricing. |
|
Legal Coaching & Training
|
|
Legal Speaking Engagements
|
|
Legal Strategy for Companies
|
When employees are let go what sometimes follows is a request by the employee for their personal data from the employer. This personal data can then be used as ammunition for the employee to support any legal claims that they may have against an employer. So, if any such request is made then what are the rules of engagement for both employees and employers regarding the disclosure of personal data?
What is a Subject Access Request?
Under the General Data Protection Regulations, individuals are given the right to access the personal data that a company or employer holds about them and ask questions like, ‘why are you holding this?’, ‘where did you get this information from?’, and ‘who are you disclosing it to?’.
A SAR, although it must be in writing, does not have to be presented in a particular form, and it does not have to include the words ‘subject access’. The requester could even mistakenly cite the Freedom of Information Act to justify the request, in which case the employer would still need to treat the request as a SAR.
5 Things to Think About If You Are an Employee Making a SAR
1. How to make a SAR
Your employer cannot force you to submit a SAR in a format or structure that they prefer. As long as your request is in writing (or even an email), then your employer will have to respond to it.
It might however, be useful to specify a few pieces of information in your SAR, for example, tell them the information you need and any relevant dates, give your contact details, and reference the one-month deadline that your employer will need to comply with.
The time in which your employer should respond in most cases should be promptly, but in any event, your employer must respond within one month of receiving your request.
2. Disabilities
Your employer has a legal duty to make reasonable adjustments for you if have difficulties communicating in writing or otherwise. For example, if you are more comfortable expressing a request orally, in braille, or in sign language, then your employer still needs to treat the request as a SAR. So, know your rights and do not let a disability stop you from obtaining what you are entitled to.
3. Copies and Proof
It is always useful to have a record of your request and send it by recorded delivery or email. This evidence could be invaluable if your employer is refusing to give you a copy of your information and you need to make a complaint to the Information Commissioner’s Office (ICO).
4. Fee
Making a SAR is free of charge! Even if your employer is trying to charge you a small fee, you can remind them that SARs can be made free of charge as of 25th May 2018 – you could even make a note of this in the SAR itself.
5. Where can you find out more if you’re an employee?
You can find out more from the Subject Access Code of Practice which this article reflects.
The Code has not been updated since the Data Protection Act 2018 became law but provides useful guidance. The code may change based on GDPR case law that will continue to develop and the commentary on Employer duties below reflect the Code.
5 Things to Consider If You Are an Employer
1.Receiving a Request
Once an employer receives a SAR, they must:
This is the case, unless of course you decide you cannot provide them a copy of their data or you wish to extend the time you have for processing the request. If this is the case you must inform the data subject of this promptly, with an explanation.
2. Extensions
If you, as an employer, want to extend the one-month time limit, you must inform the data subject within one-month of receiving the request and give an explanation detailing why the delay is necessary. This could buy you potentially an extra two months where the requests are complex.
3. Identification
Always be sure that you, as an employer, know the identity of the requester! You can ask questions to help identify the person, but be reasonable. The level of precaution you take here should match how much distress could be caused to the individual if the information were to be incorrectly disclosed.
4. Third Party Information
In some situations, a data subject will request to be given information that contains the personal information of a third party. How do you respond to this?
Step 1: consider if the information request strictly requires the information that identifies the third party to be included. Could the third-party information be redacted?
Step 2: if you cannot separate the information of the data subject and the third party, decipher if the third party has consented to the disclosure.
Step 3: if you do not have consent, consider if it is reasonable in all circumstances to give a copy of the requested information without consent. Think here about the duty of confidentiality owed to the third party, the steps you have taken to obtain their consent, whether the third party is capable of giving consent, and if the third party has refused to give consent, and make a decision based on these considerations.
5. Guidance
It is good practice to have guidance on making a SAR on your company website, along with a form for people to fill in. You cannot however, force an individual to use your form to make a SAR. It is recommended that you state where the form is to be sent to, highlight the fee/if it is free of charge, specify what information is necessary to obtain the personal data, and give details of a contact for the data subject to use to ask any questions.
Summary
If you are an employee you can make a SAR and if you are an employer, we recommend that before responding to a SAR, you check to ensure that you are in compliance with all the relevant rules and that you are putting together the best response for your employee.
For more information, please contact Jimmy Desai (jimmy@coachinglaw.com) or Emmanuel Vranakis (emmanuel@coachinglaw.com).
© 2019. Coaching Law Limited. All rights reserved.
Disclaimer
This site is not providing an SRA regulated service.
By accessing, viewing and/or using this site in any way, you hereby agree that nothing on this site should in any circumstances constitute legal advice and/or manifest or create any kind of solicitor/client or other relationship in any way. The contents of the website are for educational and general information purposes only. The information and content on the website are provided with no warranty, representation and/or any other kind of assurance (express or implied) as to the accuracy, completeness and/or timeliness of any single piece of information and content and we do not accept liability for any error or omission. We shall not be held liable for any damage howsoever caused (including, but not limited to, damage for loss of profits or
loss of reputation) arising in contract, tort or otherwise from the use of or lack of use of, this site, its information and content and affiliated sites, or from any action taken in connection with using this site, its information and content and affiliated sites. Most of (if not all of) of the events, information and/or content on this site may have been changed/updated since published and it is the responsibility of users of the website to decipher whether or not this is the case.
If you have any legal issues then you should seek and obtain advice from your own legal adviser or solicitor. By accessing and/or viewing all and/or any part of this site you hereby agree to all of this disclaimer and if you do not agree with all and/or any part of this disclaimer then please do not access, read and/or view any of the information and/or content of this site.
What is a Subject Access Request?
Under the General Data Protection Regulations, individuals are given the right to access the personal data that a company or employer holds about them and ask questions like, ‘why are you holding this?’, ‘where did you get this information from?’, and ‘who are you disclosing it to?’.
A SAR, although it must be in writing, does not have to be presented in a particular form, and it does not have to include the words ‘subject access’. The requester could even mistakenly cite the Freedom of Information Act to justify the request, in which case the employer would still need to treat the request as a SAR.
5 Things to Think About If You Are an Employee Making a SAR
1. How to make a SAR
Your employer cannot force you to submit a SAR in a format or structure that they prefer. As long as your request is in writing (or even an email), then your employer will have to respond to it.
It might however, be useful to specify a few pieces of information in your SAR, for example, tell them the information you need and any relevant dates, give your contact details, and reference the one-month deadline that your employer will need to comply with.
The time in which your employer should respond in most cases should be promptly, but in any event, your employer must respond within one month of receiving your request.
2. Disabilities
Your employer has a legal duty to make reasonable adjustments for you if have difficulties communicating in writing or otherwise. For example, if you are more comfortable expressing a request orally, in braille, or in sign language, then your employer still needs to treat the request as a SAR. So, know your rights and do not let a disability stop you from obtaining what you are entitled to.
3. Copies and Proof
It is always useful to have a record of your request and send it by recorded delivery or email. This evidence could be invaluable if your employer is refusing to give you a copy of your information and you need to make a complaint to the Information Commissioner’s Office (ICO).
4. Fee
Making a SAR is free of charge! Even if your employer is trying to charge you a small fee, you can remind them that SARs can be made free of charge as of 25th May 2018 – you could even make a note of this in the SAR itself.
5. Where can you find out more if you’re an employee?
You can find out more from the Subject Access Code of Practice which this article reflects.
The Code has not been updated since the Data Protection Act 2018 became law but provides useful guidance. The code may change based on GDPR case law that will continue to develop and the commentary on Employer duties below reflect the Code.
5 Things to Consider If You Are an Employer
1.Receiving a Request
Once an employer receives a SAR, they must:
- confirm if the employer processes the personal information of the data subject;
- provide information about the data processing; and
- provide a copy of the personal data that is being processed.
This is the case, unless of course you decide you cannot provide them a copy of their data or you wish to extend the time you have for processing the request. If this is the case you must inform the data subject of this promptly, with an explanation.
2. Extensions
If you, as an employer, want to extend the one-month time limit, you must inform the data subject within one-month of receiving the request and give an explanation detailing why the delay is necessary. This could buy you potentially an extra two months where the requests are complex.
3. Identification
Always be sure that you, as an employer, know the identity of the requester! You can ask questions to help identify the person, but be reasonable. The level of precaution you take here should match how much distress could be caused to the individual if the information were to be incorrectly disclosed.
4. Third Party Information
In some situations, a data subject will request to be given information that contains the personal information of a third party. How do you respond to this?
Step 1: consider if the information request strictly requires the information that identifies the third party to be included. Could the third-party information be redacted?
Step 2: if you cannot separate the information of the data subject and the third party, decipher if the third party has consented to the disclosure.
Step 3: if you do not have consent, consider if it is reasonable in all circumstances to give a copy of the requested information without consent. Think here about the duty of confidentiality owed to the third party, the steps you have taken to obtain their consent, whether the third party is capable of giving consent, and if the third party has refused to give consent, and make a decision based on these considerations.
5. Guidance
It is good practice to have guidance on making a SAR on your company website, along with a form for people to fill in. You cannot however, force an individual to use your form to make a SAR. It is recommended that you state where the form is to be sent to, highlight the fee/if it is free of charge, specify what information is necessary to obtain the personal data, and give details of a contact for the data subject to use to ask any questions.
Summary
If you are an employee you can make a SAR and if you are an employer, we recommend that before responding to a SAR, you check to ensure that you are in compliance with all the relevant rules and that you are putting together the best response for your employee.
For more information, please contact Jimmy Desai (jimmy@coachinglaw.com) or Emmanuel Vranakis (emmanuel@coachinglaw.com).
© 2019. Coaching Law Limited. All rights reserved.
Disclaimer
This site is not providing an SRA regulated service.
By accessing, viewing and/or using this site in any way, you hereby agree that nothing on this site should in any circumstances constitute legal advice and/or manifest or create any kind of solicitor/client or other relationship in any way. The contents of the website are for educational and general information purposes only. The information and content on the website are provided with no warranty, representation and/or any other kind of assurance (express or implied) as to the accuracy, completeness and/or timeliness of any single piece of information and content and we do not accept liability for any error or omission. We shall not be held liable for any damage howsoever caused (including, but not limited to, damage for loss of profits or
loss of reputation) arising in contract, tort or otherwise from the use of or lack of use of, this site, its information and content and affiliated sites, or from any action taken in connection with using this site, its information and content and affiliated sites. Most of (if not all of) of the events, information and/or content on this site may have been changed/updated since published and it is the responsibility of users of the website to decipher whether or not this is the case.
If you have any legal issues then you should seek and obtain advice from your own legal adviser or solicitor. By accessing and/or viewing all and/or any part of this site you hereby agree to all of this disclaimer and if you do not agree with all and/or any part of this disclaimer then please do not access, read and/or view any of the information and/or content of this site.