HR often gets involved with data handling when an employee asks to see their personnel file, and in doing so makes a ‘subject access request’.
It is often the case that these requests come paired with a grievance or a resignation. As it may be the more disgruntled individuals who make these requests, it is worthwhile ensuring that you are up to date with the changes that are coming ahead of the GDPR which is enforceable from the 25th May 2018.
How do you provide access?
The subject access request should enable the individual to verify that their data is processed according to data protection laws. There are a number of factors to juggle here:
1. Verify identity – if you are unsure or unable to prove identity, then additional personal details may need to be asked for to verify the person making the request is the data subject. Only ask for information that is sufficient to achieve this purpose. Any requests made verbally (over the phone) should be verified by using another form of communication e.g. confirmation from a known e-mail address.
2. Provide a copy – any details that are held electronically or on an information system would need to be transferred to a commonly used format, such as a word document, pdf or a hard copy letter.
3. Arrange remote access where possible – new data protection laws specifically require that a data subject is given the means to view their data securely, directly and privately. For example, an employee should be able to log on to their own profile in an employee database to view exactly how their data is actually stored and processed.
4. Protect the identity of others – You may restrict or redact information if providing access would infringe the privacy of others. In some cases, restrictions can apply to sensitive business details e.g. redundancy plans. Caution should be taken and every attempt should be made to provide as much of the information asked for as possible.
What is the timescale for compliance?
A request must be complied with in full as soon as possible and without undue delay. The maximum length of time for compliance with a request is one month. In exceptional circumstances, it is possible to extend the timescales by a further two months if necessary, however, the employee (or data subject) must be informed of the extension and the reasons for it, within one month of the date the request was received.
Are fees chargeable?
With effect from 25 May 2018, it is no longer lawful to charge a fee for processing a request.
There are a few exceptions:
• If additional copies of information that have already been provided are requested again.
• If the request is ‘manifestly unfounded or excessive’. *
Can you refuse a request?
It is possible to refuse a request if:
• It is not possible to verify the identity of the data subject (eg an ex-employee).
• It is deemed that the request is ‘manifestly unfounded or excessive’.
* Take caution before deciding that a request is ‘manifestly unfounded, excessive or repetitive’ and warrants a fee to be charged. Case law suggests it is rare a court will ever agree that an access request fits this description and it will be up to the employer (data controller) to prove it.
If for whatever reason, the request will not be complied with, then the employee (or data subject) must be informed without undue delay and within one month at the latest. They must also be informed of the possibility of lodging a complaint with the relevant supervisory authority (the ICO).
Webinar Recording to Watch on Demand
Watch the webinar recording ‘The Future of Subject Access Requests Under the GDPR’ to be sure you understand what the changes are and we will help you prepare for what the future holds.
If you need HR support, we have experts who can help review your circumstances and provide you with practical support and advice. Call 0844 324 5840 or contact us online to find out how we can help your business.