Subject Access and Freedom of Information Requests

In this article, we cover two separate types of request for information which employers may come across:

• Subject Access Requests – These are requests under the Data Protection Act 1998 which allows individuals to request their personal data.

 

• FOI requests – These are requests under the Freedom of Information Act 2000 which gives individuals the right to request information held by public bodies. It does not provide a right of access to personal information.

 

Subject Access Requests

Employees or former employees may seek to request personal data held about them under the Data Protection Act. Common examples are requests for copies of references provided by an individual’s former employer to their potential new employers.

Subject Access Requests must be made in writing. Before complying with the request, employers are entitled to request a fee of up to £10 and information as may be reasonably necessary to determine the identity of the individual making the request. Once they have received this, the employer has 40 days to comply with the request.

In some circumstances, difficulties can arise where the information requested identifies a third party. The Data Protection Act does not require employers to comply with requests if the information relates to a third party that can be identified from the information, unless the third party consents (and steps should be taken to obtain consent) or it is reasonable to comply without their consent. In deciding whether it is reasonable to comply with the request without the third party’s consent, regard must be had to any duty of confidentiality owed to the third party (as may be the case if the third party has supplied a reference).

An employer is not obliged to comply with all Subject Access Requests if the information requested is for example, subject to legal privilege (correspondence passed between a client and their solicitors) or where personal data is processed in connection with management forecasting or planning such as a staff redundancy programme before it is announced.

In addition, an employer is not required to disclose health records in response to a Subject Access Request where disclosure would be likely to cause serious harm to the physical or mental health of the employee or any other person. Employers should consult appropriate professionals before making any assessment about either disclosing or withholding health records.

There are various remedies open to individuals if they suspect their employer (or ex-employer) has breached the rules in regard to Subject Access Requests which can include damages. An employer will have a defence to a claim for damages if it can prove that it had taken such steps as were reasonable in the circumstances to comply with the rules. Therefore, such requests should be dealt with efficiently and appropriate resource allocated to ensure compliance with the request.

 

FOI Requests (to public bodies)

Whilst not entirely employment law related, it is worth mentioning FOI requests because sometimes employment information is the subject of such requests. A recent example was a case heard by the First-Tier Tribunal (Information Rights) which examined whether the details of former public authority employee’s compromise agreement should be disclosed following a FOI request (Trago Mills (South Devon) Ltd v Information Commissioner EA/2012/0028).

Trago Mills had a history of planning disputes with Teignbridge District Council. Trago Mills made a complaint of prejudice and bias against the Council’s senior planning officer who had been involved with the planning disputes. Trago Mills believed that the senior planning officer had been dismissed for misconduct which had been covered up by the Council. Therefore, Trago Mills made an FOI request for details of the senior planning officer’s contract of employment, remuneration and termination payment in his compromise agreement. The Council provided some parts of the contract of employment but refused to disclose the rest on the grounds that it constituted personal data and was therefore exempt under the Freedom of Information Act 2000. The Information Commissioner and the Tribunal agreed with the Council’s decision not to disclose details of remuneration and the termination payment. They said that a former employee would have a reasonable expectation that such information would remain confidential. This outweighed the expectation that the Council are accountable for their expenditure of public money.

However, the Tribunal did not rule out that there may be greater public interest concerns in other cases where similar information is requested and this may outweigh the expectation that such information should remain confidential.

FOI requests have to be made to public bodies in writing and they are obliged to respond within 20 working days or tell the individual why it may take longer than 20 working days. Public bodies can charge individuals for photocopying and postage.

In conclusion, both FOI and Subject Access Requests can be complex to deal with because there are various rules and exemptions to consider. Whether it is a public body or another organisation, advice should be sought as soon as possible when such requests are made.

If you have queries about this article or if there is anything else we can do to help, please get in touch. Please call us on 01243 836840 for a no obligation chat or email us at [email protected].

Please note that this update is not intended to be exhaustive or be a substitute for legal advice. The application of the law in this area will often depend upon the specific facts and you are advised to seek specific advice on any given scenario.