Subject access requests – what do we have to disclose?

/in /by

Subject access requests are requests made by individuals under the Data Protection Act 1998 to see copies of any data held about them. The main purpose of subject access rights is to enable an individual to check whether their data is being processed unlawfully, in a way which infringes their privacy. Often in an employment context such requests are used to seek disclosure of information that may assist an individual in a potential claim to the Employment Tribunal or court.

One of the biggest headaches around subject access requests in employment is that quite often, employers find they are having to disclose information, such as references, which they had not anticipated an employee ever seeing. You may find our previous articles on references here and here of interest.

When making a subject access request, an individual should include the following:

  • A £10 fee.
  • Evidence to confirm their identity.
  • Any information necessary to locate the information sought.

An employer is not obliged to comply with the request until the above has been provided.

Such requests can be tricky because they can sometimes be quite onerous to deal with (both in time and expense), and there are various rules to navigate about data which could be exempt from disclosure in the employer’s response. In addition, there is a time limit in which an employer must respond to a request – 40 days from receipt of the request. You can see our previous article about subject access requests here.

An interesting example is shown in a case study published by the ICO (Information Commissioner’s Office).

The case study concerned an employee who was having a difficult time in his working relationship with his line manager, and felt he was being treated unfairly. The employee put in an application to transfer to another area of the business, but this was refused.

The employee made a subject access request to see what his line manager had said about him at a meeting where transfer requests were discussed. This revealed that the line manager had made some disparaging remarks about the employee, most of which were opinions, although there was also a comment made about the amount of sick leave taken by the employee.

The employee complained about the remarks and asked for these to be removed from his personnel file. This was refused. The employee then contacted the ICO who advised him to request that a note was put on his personnel file to say he disagreed with the opinions of his line manager. The note was added by the employer. In addition, the employee challenged the sick leave and this did turn out to be a mistake, so the employer corrected the amount of sick leave on his file.

We can guess that the employee’s line manager had really not anticipated his remarks in the meeting ever being seen by the employee, but had he been trained and made aware of data protection requirements he may have acted differently.

The case study also brings us to an important ‘hot tip’ for employers, which is to think carefully about how and why data is held, and what format that data is held in. Sometimes, it may be best to have a telephone conversation or face-to-face discussion rather than written notes or emails. That said, written records can be really helpful in demonstrating that decisions have not been taken for unlawful reasons in the event of claims (such as an employee raising a claim in the Employment Tribunal that their transfer request was refused because they are disabled). Therefore, perhaps of more importance is to ensure staff are trained both in data protection principles and equality, so that records that are generated remain professional and are more likely to be helpful in the event they are disclosed under a subject access request.

You should note that the data protection legislation does allow for some data to be withheld if it meets certain criteria. Employees could not get hold of correspondence employers have made with solicitors (which is exempt by virtue of legal privilege), or where personal data is processed in connection with management forecasting or planning such as a staff redundancy programme before it is announced.

If you have received a subject access request, and you are unsure what data has to be disclosed, then you should seek advice.

If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or [email protected]).

Please note that this update is not intended to be exhaustive or be a substitute for legal advice. The application of the law in this area will often depend upon the specific facts and you are advised to seek specific advice on any given scenario.
Link to: Contact Us

Any questions? Why not get in touch!

Our advice is always given in plain English without any waffle, and we focus on providing practical solutions to our clients’ problems.

Contact us

LEGAL INFORMATION

Pure Employment Law | 1 Little London, Chichester, West Sussex, PO19 1PH
[email protected] | Tel: 01243 836840

Pure Employment Law is the trading name of Pure Employment Law Limited, registered in England and Wales with company number 07134294 and whose registered office is 1 Little London, Chichester, West Sussex, PO19 1PH. Pure Employment Law Limited is authorised and regulated by the Solicitors Regulation Authority with registration number 533794. A list of the company’s directors is available for inspection at the registered office

DISCLAIMER

The information contained in this website is for general information purposes only. The information is provided by Pure Employment Law and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

Privacy Policy | Cookies Policy | Terms & Conditions | How to make a complaint | Sitemap

© Pure Employment Law MMXIX

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies as defined in our cookie policy.

Accept Cookie Policy

Cookie and Privacy Settings



We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.