What would your business do if an employee asked to see their HR records by making a Subject Access Request?

Under section 7 of the Data Protection Act 1998 (DPA) employees are entitled to make a data “subject access request” (SAR) to see a copy of the information an organisation holds about them.

On the payment of a fee of not more than £10, employees are entitled to know what information is held about them, and to receive copies of that information. SAR’s should be actioned promptly and normally within 40 calendar days.

However, the right of access goes further than this, and an employee who makes a written request and pays a fee is entitled to be:

• ·        told whether any personal data is being processed;
• ·        given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
• ·        given a copy of the information comprising the data; and given details of the source of the data (where this is available).

Employees may make a ‘subject access request’ on payment of a fee of not more than £10. They are entitled to know what information is held about them and to receive copies of that information. Subject access requests should be actioned promptly and normally within 40 calendar days.

An employer can challenge or limit a SAR in a number of ways. If the request is very wide the employer can legitimately ask the employee to narrow it so that it is more focused and proportionate. It may be sensible to seek to agree with the employee making the request the search terms to be used, the time period in respect of which a search is to be carried out.

An SAR gives an employee the right to the information rather than documents. Consequently, if an employee’s record identifies a 3^rd party who hasn’t given their permission and it would not be reasonable to give the employee access to those records, then the documents/records can be redacted.

 Also, some of the data may fall into one of the categories which are exempt from disclosure in response to a SAR – examples include where the data is covered by legal privilege, or where data relates to the prevention of crime or the assessment or collection of taxes.

Recent Case Law makes it more difficult for employers to challenge SARs which they consider are fishing expeditions. Other case law although not based on employment makes it clear that a failure to comply with a SAR may exacerbate any procedural inadequacies in a disciplinary or grievance process. The ICO Code of Practice   and recent case law show that employers must take SARs seriously.

This article was posted by Sean McCann the Managing Director of People Based Solutions an outsourced HR consultancy that offers advice,and support toSME’s in managing their employer compliance obligations