Managing Data Subject Access Requests

People have the right to access their own personal data – this is to say any information from which they can be identified. In an employment context, this could include any document in which (for example) their name, initials, nickname, job title, payroll number, NI number is mentioned – the list is extensive.

Any employee has a right to ask their employer to send them copies of their personal data, by making what is called a “data subject access request” (DSAR). Businesses that process a lot of personal data tend to find this concept completely overwhelming.

While the General Data Protection Regulations 2016 and the Data Protection Act 2018 aim to increase transparency and the rights of data subjects, the legislation also acknowledges the monumental burden that a DSAR can sometimes create for a business.

In its most recent guidance (published on 22 October 2020) the Information Commissioners Office has recognised the potential for the DSAR to become weaponised by disgruntled employees. To level the playing field, it has for example reintroduced the ability for employers to “stop the clock” on the period for responding while clarification on the scope of the request is sought.

Although businesses can take some steps to gain more time, they are still required to respond “without undue delay”. They must also follow some important procedural requirements about how the response it made, and the additional information which must come with it. In some circumstances, it may be appropriate not to respond at all, depending on your appetite for legal and reputational risk.

This module will help you understand how these rules apply in the context of your own organisation, so you can develop an appropriate process.