This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
In this scenario, a subject access request (SAR) is a request from an employee to their employer to obtain information as to whether or not personal data is being processed about them.
A trend that we have seen in practice is employees are becoming increasingly aware of their right under data protection legislation. The right which is exercised the most in the employment relationship is the right of access under Article 15, UK GDPR, and most employers will have been on the receiving end of a request.
Why make one?
An employee may be genuinely motivated by a wish to find out what data is being processed and to make sure that it is accurate. However, SAR’s are frequently made in the context of an ongoing dispute or a tribunal or court claim. Some employees may also see the administrative burden and expense to which an employer may be put as offering useful leverage in a dispute and in achieving a settlement.
When to respond?
Regardless of the motivation, when a request comes in, the employer is required to deal with it without undue delay. The legislation gives the receiver one month to comply with the request. This can be extended by up to two further months if the request is complex or there are a number of requests. The employee must have been told about this extension and the reason within one month of the original request.
What to include?
If the information/documents fall within the scope of a request, the employee is entitled to be given a copy of their personal data together with supplementary information on how the data is being processed. We find that some employers simply respond and provide copies and they believe that this is enough and they have complied with their obligations. However, this is not the case. A response needs to include this supplementary information for it to be fully compliant.
Challenges
As discussed at our recent GDPR seminar, some of the challenges that employers may face when dealing with a request are:
- How to carry out a reasonable search of the systems to find the personal data.
- What to do if the information includes third party data.
- How to deal with excessive and vexatious requests.
- How do you disclose data such as CCTV imagery, which includes third party data, and it is not possible to remove third parties by using pixelation tools.
The benefits of legal professional privilege
One of the main takeaways from the session is the benefits of legal professional privilege and how correspondence to legal advisers is exempt from being disclosed in a SAR.
If you’ve received a SAR or are in need of data protection advice, speak to a member of our team.
Share this post: