GDPR for HR – Subject access requests
Data subjects have the right to:
- obtain confirmation that their personal data is being processed
- access the data, including receiving a copy of it
- be provided with supplemental information about the processing
Subject access requests
They can access this by making a ‘subject access request’. These are usually requested when a matter is before an Employment Tribunal or during internal investigations as part of disclosure.
Subject access request fees
With regards to subject access requests, the current £10 fee has been removed but if a request is ‘manifestly unfounded or excessive’, you can charge a fee. What amounts to ‘manifestly unfounded or excessive’ has not been defined, and we may have to wait for guidance from the ICO to get some clarification.
Deadlines for responding
The deadline for responding has changed. Employers must now respond to requests ‘without undue delay’ and at least within one month.
There is a possibility to extend this by a further two months so long as the employee is kept informed before the month’s expiry about the extension and the reasons why further time is required. This will usually be the case if the request is particularly complex or the documents to be provided are voluminous. The employee must also be given an updated timeframe for response.
What personal data should we provide?
In terms of the information that should be provided, GDPR says that that ‘a copy of the personal data’ that is being processed. This can include all the usual pieces of information but also wherever the data subject’s name is mentioned, for example, in emails, provided there is some other pertinent or identifying information mentioned too.
In addition, you should provide supplemental information such as the purposes of processing the information, the categories of data processed, the recipients of any personal data, the envisioned retention period and the individual’s right to erasure.
We are still awaiting further ICO guidance on this topic and anticipate we will receive this in early 2018.
What should HR professionals do?
- Develop template response letters to subject access requests to ensure that all elements of supporting information is provided
- Assess your organisations ability to collate, retrieve and provide data in compliance with GDPR
For more information or guidance, please get in touch with:
Partner and Head of Employment
T. 020 7227 7410
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.