What is a data subject access request?
A subject access request, otherwise known as an ‘SAR,’ is a written request to a company or organisation, in which an individual asks for access to any personal information that that business may hold about them.
Under the terms of GDPR, which became law within the UK on 25th May 2018, it is a legal right for any citizen within the UK to access any personal information that a company may hold about them. They can exercise this right at any point, and at no financial cost.
In detail, a person has the right to request:
Data subject access requests are relatively easy to make on the part of the individual or employee, but they can also be problematic or time-consuming for employers. Their primary use is for individuals to check that their personal data is being processed lawfully in accordance with GDPR regulations, but employees can also use subject access requests as a legitimate fishing exercise prior to instigating legal action.
What is GDPR?
General Data Protection Regulation, or GDPR, came into force in 2018, and replaces the current Data Protection Act 1998. It harmonises data protection laws across the EU, and updates the previous regulations to take full account of globalisation, and the ever-changing technology landscape. Businesses will now need to demonstrate that they comply with the regulation when handling personal data.
The regulation applies to any company processing the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour. Significant penalties can be imposed on employers who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater. The level of fine will depend upon the type of breach and any mitigating factors, but they are designed to strongly penalise any employers who show a disregard for the GDPR.
What is classed as personal data?
Personal data refers to data that relates to a living person who may be identified from the data (or from data and any other information that a business may be in possession of, including any expression or opinion about the individual, or indications in respect of the individual).
It is classed as information that relates to the individual in his or her personal, family, business or professional life where the individual is the focus or central theme of the information.
The GDPR regulations apply to the processing of personal data that is:
Personal data only includes information relating to natural persons who can be identified, or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive, and they can only be processed limited circumstances.
Why must employers comply with new regulations?
You must legally comply with all regulations relating to subject access requests under the terms of GDPR. A failure to meet a stipulated deadline, or to provide an employee with the legally correct data that they have requested, could potentially leave you facing significant penalties.
The Information Commissioners Office, or the ICO, who uphold and regulate the terms of GDPR within the UK, have a range of enforcement tools available, depending on the severity of the offence committed by the employer. These include issuing warnings, reprimands, ordering compliance, and issuing fines.
How can I tell what is a valid subject access request?
A valid data subject access must be made in writing, but there is no particular prescribed form. You must also be satisfied as to the identity of the data subject, and should not automatically assume that the person making the request is necessarily who they say they are.
If a request is submitted via a third party, such as solicitor, then you must also be satisfied that the request has been authorised by the individual in question.
Is there any information that employers don’t have to disclose?
Under the terms of GDPR, as an employer you may be able to withhold personal data if you feel that disclosing it could ‘adversely affect the rights and freedoms of others.’ Current exemptions which are still relevant to employers under the terms of GDPR include:
Are there any circumstances in which an employer can refuse a subject access request?
Under the terms of GDPR, an employer can reserve the right to withhold disclosing personal data if they can demonstrate that disclosing it could ‘adversely affect the rights and freedoms of others.’ The UK government also holds further exemptions on matters such as national security, defense and public security.
Is there a timeframe for responding?
Under the new GDPR regulations, UK employers are required to respond to an SAR ‘without undue delay, and in any event within one month of receipt of the request.’ Under previous data protection laws, the limit was slightly longer at 40 days.
However, despite the time limit specified being reduced since GDPR, employers are also allowed to extend the official deadline by up to two months (three months in total), in circumstances where requests are deemed to be ‘particularly complex or numerous.’ If this remains the case once information gathering begins, the company in question must also contact the individual who has made the request within one month of their original contact, with adequate information to explain why an extension to the deadline will be necessary.
As an employer, you must provide good evidence as to why the delay is necessary, but it is highly unlikely that you will be challenged by any official bodies as long as the need for a longer process is properly evidenced.
How has GDPR changed subject access requests?
Some differences have been detailed above, but a basic checklist of differences that have emerged for subject access requests since the introduction of GDPR include:
Subject access requests – an employer checklist: