If you’re an employer, it is important that you understand your data protection obligations to avoid enforcement action and potential reputational damage.
In this guide, we look at how to respond to a data subject access request (DSAR) from an employee, and explain when the right of access applies, when it can be refused and how to lawfully deal with a request.
What is a data subject access request?
Under the Data Protection Act 2018, an employee has the right to ask you what personal data you hold about them and to obtain a copy of that data. This is commonly referred to as subject access, with the employee as the data subject.
Any information about employees, where they are individually identifiable and the information relates to them as an individual, will normally constitute personal data for the purposes of a data subject access request.
How must a data subject access request be made?
The data subject access request can be made in any format, verbally or in writing, and both physically or electronically. This can include, for example, by way of phone call, in person, by email or web contact form.
It can also be made to any part of your organisation, including by social media, and does not have to be to a specific person or point of contact. The request does not have to include the phrase ‘data subject access request’, rather it must simply make it clear that the employee is requesting their personal data.
Is there a time limit for responding to a request?
You must respond to a data subject access request without undue delay, and within one month at most of receipt of the request.
You can extend the time limit by a further two months but only if the request is complex, or you have received a number of requests from an employee. Further, you must let the individual know within one month of receiving their request and explain why the extension is necessary.
Can I charge a fee for responding to a request?
In most cases, you cannot charge a fee to deal with a data subject access request, rather the information must be provided free of charge.
If the request is manifestly unfounded or excessive you may charge a reasonable fee, but only for the administration costs of complying with the request. You can also charge the administration cost of providing further copies of personal data.
What information must be provided in response?
When responding to a data subject access request from an employee, you must provide the data subject with the following information:
- Confirmation that you are processing the employee’s personal data
- A copy of that personal data
- Details of how that data is collected, used and disposed of.
By informing employees what personal data you hold about them, why you hold it and to whom you disclose it to is key to lawfully dealing with a data subject access request.
In what format should the response to a request be?
The response to a data subject access request should be written in clear plain language and in an easily accessible format.
The information should be clear, concise and capable of being understood by the average person, although you are not required to ensure that that the information is provided in a form that can be understood by the particular employee making the request.
You should provide the employee with a hard copy of their personal data, such as a printout or photocopy. If you received the request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
When can a data subject access request be refused?
You do not have to comply with a data subject access request if it would mean disclosing data that relates to a third party who can be identified from that information, unless:
- The third party has consented to the disclosure
- It is reasonable to comply with the request without their consent.
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including the type of information that you would need to disclose about the third party, any duty of confidentiality owed to them, and what steps you have already taken or could take to seek their consent.
This decision will involve balancing the employee’s right of access against the third party’s own rights. In most cases, at the very least, you should try to ensure any personal data about a third party is redacted, unless of course you have their consent.
You can also refuse to comply with a data subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature, or if a specific exemption under the 2018 Act applies. This can include, for example, personal data that is processed for management forecasting or planning purposes to the extent that complying with a request would be likely to prejudice your organisation.
If you decide not to comply with a data subject access request, you must notify the employee within one month of receipt of the request, providing reasons for your decision. You must also notify the employee of their right to make a complaint to the Information Commissioner’s Office or, alternatively, their right to take legal action.
How do I recognise a data subject access request?
As a data subject access request can be made to anyone in your organisation and in any format, you may not necessarily recognise, or be notified, when a request has been made.
Nonetheless, you have a legal responsibility to identify any data subject access requests and to respond within the relevant timeframe. It is therefore essential to ensure all staff can recognise a valid request, and know who to pass it on to.
You must therefore put in place systems to raise the awareness of both staff and employees in relation to making and dealing with data subject access requests. This could include training and/or the use of a data subject access request form on any staff intranet site that can be easily completed and submitted online.
You may not insist on the use of a particular form for making a request, but making a form available will encourage employees to provide the right information you need to deal with their request.
What are the challenges when handling a data subject access request?
No data subject access request is the same, rather they must be treated individually and can present various different challenges, not least being able to recognise a valid request and ensuring a response is given in time.
Equally, it is vital that you verify the individual employee making the request so that the information is not sent to the wrong person, which in itself would constitute a data breach.
In some cases, the information requested may be difficult to access, for example, where it is archived or derived from multiple electronic and/or paper sources. However, your duty to comply with a data subject access request extends to any personal data that has been retained, even in a deleted emails folder.
How can I prepare for a data subject access request?
Although the practices that organisations adopt to respond to data subject access requests are likely to differ, depending on their size and the nature of the personal data they hold, it is good practice for any employer to have in place a written policy for handling these requests.
In this way staff will have a clear procedure to follow, ensuring that all requests are dealt with correctly, efficiently and consistently.
In particular, any procedure should ensure that all requests are immediately forwarded to a designated data protection officer or nominated individual and, wherever possible, are dealt with without undue delay and within one month of receipt.
It is also good practice to have a policy for recording details of all data subject access requests you receive, particularly those made verbally, and how these were dealt with.
Should I seek legal advice when dealing with a data subject access request?
When dealing with a data subject access request it is important to seek legal advice, not least in relation to the procedures that you have in place for dealing with such requests.
Your expert legal adviser can give you clear guidance on how to comply with your legal duties, and help you to implement a procedure that enables your organisation to deal with all future requests correctly, efficiently and consistently.
If you fail to comply with a data subject access request, the data subject may enforce their right to access their personal data either by lodging a complaint with the Information Commissioner’s Office or seeking a judicial remedy through the courts.
Subject access request FAQs
What is a data subject access request?
Individuals have the right to access and get a copy of their personal information, as well as any supplementary data. This is generally known as a subject access request or SAR. SARs can be submitted verbally or in writing.
How do I get a data subject access request?
You may submit a subject access request verbally, but it is advisable to do it in writing if at all possible, as this provides a record of your request.
How long does it take to get a subject access request?
You should receive a response to your request within one month. If you have made many requests or if your request is complex, they may require additional time to evaluate your request and may take up to two months longer to respond.
What is the difference between DSAR and SAR?
A subject access request (SAR) is also sometimes referred to as a data subject access request (DSAR).
The matters contained in this article are intended to be for general information purposes only. This article does not constitute legal advice, nor is it a complete or authoritative statement of the law, and should not be treated as such. While every effort is made to ensure that the information is correct, no warranty, express or implied, is given as to its accuracy and no liability is accepted for any error or omission. Before acting on any of the information contained herein, expert legal advice should be sought.