Subject access requests – what do we have to disclose?
Subject access requests are requests made by individuals under the Data Protection Act 1998 to see copies of any data held about them. The main purpose of subject access rights is to enable an individual to check whether their data is being processed unlawfully, in a way which infringes their privacy. Often in an employment context such requests are used to seek disclosure of information that may assist an individual in a potential claim to the Employment Tribunal or court.
One of the biggest headaches around subject access requests in employment is that quite often, employers find they are having to disclose information, such as references, which they had not anticipated an employee ever seeing. You may find our previous articles on references here and here of interest.
When making a subject access request, an individual should include the following:
- A £10 fee.
- Evidence to confirm their identity.
- Any information necessary to locate the information sought.
An employer is not obliged to comply with the request until the above has been provided.
Such requests can be tricky because they can sometimes be quite onerous to deal with (both in time and expense), and there are various rules to navigate about data which could be exempt from disclosure in the employer’s response. In addition, there is a time limit in which an employer must respond to a request – 40 days from receipt of the request. You can see our previous article about subject access requests here.
An interesting example is shown in a case study published by the ICO (Information Commissioner’s Office).
The case study concerned an employee who was having a difficult time in his working relationship with his line manager, and felt he was being treated unfairly. The employee put in an application to transfer to another area of the business, but this was refused.
The employee made a subject access request to see what his line manager had said about him at a meeting where transfer requests were discussed. This revealed that the line manager had made some disparaging remarks about the employee, most of which were opinions, although there was also a comment made about the amount of sick leave taken by the employee.
The employee complained about the remarks and asked for these to be removed from his personnel file. This was refused. The employee then contacted the ICO who advised him to request that a note was put on his personnel file to say he disagreed with the opinions of his line manager. The note was added by the employer. In addition, the employee challenged the sick leave and this did turn out to be a mistake, so the employer corrected the amount of sick leave on his file.
We can guess that the employee’s line manager had really not anticipated his remarks in the meeting ever being seen by the employee, but had he been trained and made aware of data protection requirements he may have acted differently.
The case study also brings us to an important ‘hot tip’ for employers, which is to think carefully about how and why data is held, and what format that data is held in. Sometimes, it may be best to have a telephone conversation or face-to-face discussion rather than written notes or emails. That said, written records can be really helpful in demonstrating that decisions have not been taken for unlawful reasons in the event of claims (such as an employee raising a claim in the Employment Tribunal that their transfer request was refused because they are disabled). Therefore, perhaps of more importance is to ensure staff are trained both in data protection principles and equality, so that records that are generated remain professional and are more likely to be helpful in the event they are disclosed under a subject access request.
You should note that the data protection legislation does allow for some data to be withheld if it meets certain criteria. Employees could not get hold of correspondence employers have made with solicitors (which is exempt by virtue of legal privilege), or where personal data is processed in connection with management forecasting or planning such as a staff redundancy programme before it is announced.
If you have received a subject access request, and you are unsure what data has to be disclosed, then you should seek advice.
If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or [email protected]).