How to deal with a Subject Access Request
Under Section 7 of the Data Protection Act 1998, employees have the right to ask their employer for details of any personal data held on them and the reason why that information is being held. This is known as a Subject Access Request (SAR). The employee also has the right to be provided with hard copies of the relevant data. The legislation does not provide for any particular request format but some companies will prefer a form that data subjects can complete for these purposes.
An employer can charge a reasonable fee. The maximum fee permissible under the Act is £10.00 for most requests. The employer is entitled to receive payment of the fee prior to providing the data. There are special rules that apply to fees for paper-based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).
The employer can legitimately charge a fee for every request and so if the individual making the request doesn’t specify all the information they require in their first letter, the employer can charge another fee to provide information requested on a different occasion.
It may not always be necessary to treat a request for information as a formal request under the Act. If the request for information is one which the employer would normally deal with in the course of their business, then they should consider whether they need to deal with this as a formal Subject Access Request under the Act.
The employer has 40 days within which to respond to a request. The period starts when the employer receives the fee from the employee. If the employer does treat the request as a formal Subject Access Request, they are entitled to receive the fee, and they are also entitled to ask for further information before the forty-day calendar response period commences, as follows:
The employer must make sure that the person making the request is the data subject and not a person impersonating the data subject. It is a good idea to use a Subject Access Request form as it would help prove that the employer’s identification and verification procedures are adequate and robust.
The employer can ask for further information to help them locate the information which the person seeks. The individual is entitled to request copies of all information held about them. However, the employer may try to help the person try to narrow their request for information.
The employer should make sure that the receipt of the request, the fee and the further information is correctly dated so that they know how long they have to satisfy the Subject Access Request. If the employer fails to respond to a Subject Access Request within the 40-day period, the individual can obtain a court order to require the employer to comply with the request. Failure to respond within 40 days will be deemed a breach of the sixth principle of the Act which means any person affected by the breach may bring an action for damages (provided they can prove loss) and any associated distress. In addition, any failure may be reported by the individual to the Information Commissioner (IC) which means the IC may choose to investigate the employer’s practices.
The ICO Code
In August 2013, the Information Commissioner’s Office (ICO) published a new code on SARs.
Key recommendations in the code include:
Establish and maintain a written policy that gives details of where information can be found, the ways in which it is processed and how the company handles SARs.
Ensure everyone who makes a SAR knows what is happening with their request by issuing an acknowledgement of receipt and letting the employee know the date by which a response will be issued.
Discussing the scope of the request with the employee and requesting further information which will help to track down the information requested.
Setting up a system that can keep track of applications and record how the information has been located, as well as any redaction or exemptions.
Allocating the responsibility for dealing with SARs efficiently and in a timely manner to a specific person or team.
Organising data in a consistent and organised way can ensure that it is far easier to find without having to refer back to the employee for more information or taking longer than is allowed by the Data Protection Act.
Employers do not have to agree to every Subject Access Request. There are specific exemptions that can be used to avoid data disclosure.
Legal professional privilege is attached to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by any person so long as this was its dominant purpose.
Legal professional privilege is also attached to any document which was created to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.
Management forecasting or planning:
Where disclosure would detrimentally affect the conduct of the business, it will not be required.
If disclosure would seriously harm the physical or mental health of the employee or another person, it will not be required. To make sure they are complying with this part of the Code, employers should check with appropriate professionals.
References to a third party
If the information requested contains details about a third party, there is no need for it to be disclosed unless the third party gives their consent or compliance without consent is reasonable.
For example, it may be reasonable if the third party in question is the line manager of the employee making the request. Otherwise, third party information should be redacted.
Personal data are exempt from an individual’s right of subject access if they comprise a confidential reference that an organisation gives (or is to give) in connection with education, training or employment, appointing office holders, or providing services. The exemption only applies to references the employer gives and not references the employer receives. The employer may receive legal advice from the employer’s accountant, management consultants etc. but none of these attracts legal professional privilege.
What should employers do?
Exercise caution when sending information out in written form (by letter or email). If sensitive information has to be discussed, do so in person or by telephone so that it will not be documented and therefore subject to disclosure.
Just because a lawyer has been copied in on an email does not mean that it has suddenly become a legally privileged document. For that to happen, the lawyer must be involved in giving legal advice or there must be a real prospect of litigation.
Even if an email is a legally privileged document, it may well lose that privilege if it is forwarded on.
Retain a list of systems, devices and locations that contain personal data so that information can be found quickly and efficiently.
Always get legal advice.
It should be noted that from 25th May 2018, the new General Data Protection Regulation will come into force. These new regulations will change the way that the subject access regime operates, which is something of which employers need to be aware.
Log on to rradarstation, which offers so much more business legal support including Health & Safety and Employment disputes. We’ve got lots of information on business related topics, to help your organisation run smoothly and minimise your risks.
Top Tip to Remember: Our free templates are all located at the bottom of the rradarstation webpages.