Guest Written by IAM partner, HR solutions.
A common way HR get involved with data handling is when an employee asks to see their personnel file, and in doing so makes a “subject access request”. It is often the case that these come paired with a grievance or a resignation. As it may be the more disgruntled individuals who make these requests, it is worthwhile ensuring that you are up to date with the changes that are coming ahead of the GDPR which is enforceable from the 25th May 2018.
What is a subject access request?
In short, an employee or worker can ask their employer about the personal data they hold on them. The request should enable the individual to verify that their data is processed according to data protection laws.
How to provide access
There are a number of factors to juggle here:
1. Verify identity – if you are unsure or unable to prove identity, then additional personal details may need to be asked to verify the person making the request is the data subject. Only ask for information that is sufficient to achieve this purpose. Any requests made verbally (over the phone) should be verified by using another form of communication. e.g. confirmation form a known e-mail address.
2. Provide a copy – any details that are held electronically, or on an information system would need to be transferred to a commonly used format, such as a word document, pdf or a hard copy letter.
3. Arrange remote access where possible – new data protection laws specifically require that a data subject is given the means to view their data securely, directly and privately. For example, an employee should be able to log on to their own profile in an employee database to view exactly how their data is actually stored and processed.
4. Protect the identity of others – You may restrict or redact information if providing access would infringe the privacy of others. In some cases, restrictions can apply to sensitive business details e.g. redundancy plans. Caution should be taken and every attempt should be made to provide as much of the information asked for as possible.
Timescales – 1 month to comply
A request much be complied with in full as soon as possible and without delay. The maximum length of time for compliance with a request is one month. In exceptional circumstances, it is possible to extend the timescales by a further two months if necessary, however the employee (or data subject) much be informed of the extension and the reasons for it, within one month of the date the request was received.
With effect from 25 May 2018, it is no longer lawful to charge a fee for processing a request. There are a few exceptions:
- If additional copies of information that have already been provided are requested again.
- If the request is “manifestly unfounded or excessive
Refusing a Request
It is possible to refuse a request if:
- It is not possible to verify the identity of the data subject (eg an ex-employee).
- It is deemed that the request “manifestly unfounded or excessive”.
* Take caution before deciding that a request is ‘manifestly unfounded, excessive or repetitive’ and warrants a fee to be charged. Case law suggests it is rare a court will ever agree that an access request fits this description and it will be up to the employer (data controller) to prove it.
If for whatever reason, the request will not be complied with, then the employee (or data subject) must be informed without undue delay and within one month at the latest. They must also be informed of the possibility of lodging a complaint with the relevant supervisory authority (the ICO).
There is a free webinar available on the 24th called the “the future of subject access requests (under GDPR)”, 24th April, sign up via our trusted partner here