Employees have the right to request and acquire a copy of their personal data kept by their employer or former employer.
This is known as making a data subject access request (DSAR) under the General Data Protection Regulation (GDPR).
When dealing with subject access requests, employers have to ensure they comply with their compliance obligations under the GDPR.
If the employer fails to comply with a subject access request or otherwise breaks the rules, employees can make a complaint to the Information Commissioner’s Office. The ICO has powers to investigate the complaint and take action against the employer.
An employee can also seek a court order compelling the employer to comply with their request and pay them compensation through the civil courts.
While the demands may appear to be burdensome in some situations, failure by an employer to comply with a request in a timely and proper manner can have substantial consequences for an organisation.
We look at how to handle subject access requests from employees in this advice for employers, as well as steps you can take to reduce the risk of non-compliance and penalties for your company.
Employment-related subject access requests
All individuals in the UK have the right to ask an organisation what personal data they possess about them and to request a copy of that data, as well as other supplemental information, under the GDPR and the Data Protection Act (DPA) 2018.
Existing employees, previous employees, and even job candidates are all examples of data subjects in the workplace.
The right of access is intended to allow individuals to learn what personal data is stored about them, as well as how and why an employer (or former employer) uses this data, and ensuring that their data is being handled lawfully.
The obligation of an employer to cooperate with a request extends to any personal data held by their company. For DSAR reasons, any information stored about employees that is identifiable and relates to them as an individual might be considered personal data. This can include information from HR files, pension records, and even internal conversations and emails that mention the employee by name.
In some cases, employers may be able to refuse to submit all or part of the requested information provided they can show reasonable justification for not complying with a DSAR. The DPA recognises this by offering a number of exemptions where employers can decline to comply with subject access requests, such as where a subject access request is plainly unfounded or excessive.
Employers should not rely on exemptions or have a blanket refusal policy. Employers are advised to consider each DSAR and determine their response on a case-by-case basis.
They must also keep a record of the reasons being relied on when refusing to comply with a DSAR.
Can you refuse to comply with a DSAR?
Employers may refuse to comply with a subject request – in part or in full – only if an exemption applies or if the request can be deemed ‘manifestly unfounded’ or ‘manifestly excessive’.
Exemptions to subject access requests
The DPA contains a number of exemptions, including when personal data is processed for criminal or tax-related purposes, when data is subject to legal professional privilege, or when data is being processed for business planning purposes and complying with a request would present risk to the business’s operations.
The exemption that is most likely to apply in practice is where compliance with a request would require releasing information that could be used to identify another person. The employer is not required to comply with the employee’s request if the information that identifies the third party cannot be redacted, unless the other individual consents to the disclosure or it is appropriate to comply without their consent.
A balancing act between the asking employee’s right of access and the rights of the third party will be required to determine if it is reasonable.
The employer must consider the type of information they will need to divulge about the third party, any confidentiality obligations owed to that party, and the actions taken to obtain their consent.
The employer has to justify their decision to provide or withhold information about a third party. This information should be documented.
Note also that different exemptions apply in different ways, so you would need to consider how the relevant exemption impacts your obligations in relation to the specific request.
Requests that are ‘manifestly unfounded’ or ‘manifestly excessive’
There are several elements that an employer should consider when determining whether a request is clearly unwarranted or excessive. This could happen if a request is repetitive or, in some cases, if it involves a big request of data.
If a request mainly replicates a previous request but there has been a fair period between requests, the request is not necessarily manifestly unjustified if the nature of the data is likely to have changed between requests.
Similarly, just because an employee wants a substantial amount of information does not mean the request is patently excessive.
The employer, on the other hand, has the authority to determine whether the importance of granting access to the information is proportionate when weighed against the difficulty or costs of responding to the request.
How to handle subject access requests
A DSAR can be filed by an employee or a third party on their behalf, and it does not need to be addressed to a specific department or point of contact within the employer’s organisation. It can also be expressed vocally or in writing, such as by email or social media.
To ensure that requests are handled by relevant members of staff, employers should define a preferred means of contact, often within an organisational data policy.
After receiving a subject access request from an employee, the employer should make reasonable attempts to locate and obtain the requested material.
The employer must then provide the employee with a copy of their personal data and information about how their personal data is collected, processed, and disposed of, if applicable. This should be supplied in an accessible, succinct, and understandable format and in a secure manner.
If an employee submits a request electronically, the employer shall deliver the information in a commonly used electronic format unless the employee specifies otherwise.
The employer should keep track of when the employee submitted the request, when they received a response, who provided the information, and what information was delivered.
Employers can’t charge a price to deal with subject access requests in most cases, but they can impose a fee to offset the administrative costs of complying with a request if it’s clearly unfounded or unreasonable, or if an employee asks more copies of their data.
Time limits to respond to a DSAR
An employer must reply to a subject access request without undue delay, and no later than one month after receiving the request from the employee.
This time limit can be extended by two months if the request is complicated or if the employer has received multiple requests from the same employee.
Within one month of receiving the subject’s request, the employer must notify them and explain why the extension is required.
If an employer has a lot of data about an employee, they can ask them to indicate the data or processing activities they’re looking for.
The deadline for responding to the employee’s request will be suspended until more information is obtained.
The employer may also need to request more information to authenticate the person’s identification, particularly in the case of former employees, and the timeframe for replying will not begin until such information is obtained.
However, any clarification or identification documents required by the employer should be obtained as soon as possible.
If an employer refuses to comply with a subject access request, the employee must be notified within one month of receipt of the request, together with the grounds for the rejection.
The employer must also inform the employee of their right to file a complaint with the Information Commissioner’s Office or to pursue legal action.
Subject access request & legal risks
Dealing with subject access requests from workers presents a number of logistical and legal issues, not least since no two DSARs are the same.
A common risk is failing to recognise when a subject access request has been made. The employer may not recognise or be alerted of a subject access request since requests can be made in a variety of ways to any part of the organisation and determining when a request has been made can be challenging in practice.
Failure to respond within the time limits is also a frequent issue for employers. Data about an employee, or former employee, may be housed in several electronic or manual filing systems, making it difficult for the employer to discover and get the information sought. Even if the time limit can be extended in cases where clarification of the precise information sought is required, the employer must act quickly in obtaining clarification from the employee.
Before providing the formal response the employer must also take steps to verify the identification of the employee who made the request so that personal mistakes can more easily be made in relation to past employees.
Subject access request company policy
Irrespective of whether an organisation receives frequent subject access requests, it is still advisable to have a policy in place to ensure that any requests are handled correctly, efficiently and promptly.
A DSAR policy should provide guidance on how to handle requests appropriately, consistently, and within the specified time constraints. The policy should also provide employees with details of the DSAR process, such as who to direct the request to and what information should be provided.
How a company handles subject access requests can vary, depending on the size of the organisation and the resources available to it.
In most cases, a DSAR policy should include the following:
- The policy objective & purpose
- The rights & responsibilities of both employees and employers in relation to subject access requests
- How employees should make a personal data request
- How employers should recognise a subject access request
- Who is authorised to handle requests
- How to lawfully respond to a request
- Any supplementary information to be provided
- When and how a request might be legitimately declined
- How to retain records of requests received, responses made and any refusals to respond
Employers must also have appropriate information management systems in place throughout their organisation, allowing them to efficiently search and retrieve information, as well as provide that information securely, in the correct format, and without delay.
Subject Access Request FAQs
Can an employer refuse a subject access request?
Employers can refuse to comply with a subject request - in full or in part - provided an exemption applies or if the request can be shown to be manifestly unfounded or excessive.
Are emails included in a subject access request?
Personal data includes any data held about a person, including information contained in emails, provided the requester is identifiable and the information relates to them as an individual.
What can an employee request under GDPR?
Employees and former employees can make a subject access request to be provided with all personal data about them held by their employer or former employer.
Can a company ask for a subject access request?
Companies cannot usually ask an individual to make a subject access request. Checks on people's backgrounds can be made using alternative means, such as DBS checks of criminal records.
The matters contained in this article are intended to be for general information purposes only. This article does not constitute legal advice, nor is it a complete or authoritative statement of the law, and should not be treated as such. Whilst every effort is made to ensure that the information is correct, no warranty, express or implied, is given as to its accuracy and no liability is accepted for any error or omission. Before acting on any of the information contained herein, expert legal advice should be sought.