An individual has the right to request access to their personal data but effectively handling subject requests can be tricky, costly and time consuming. Here are some key points for employers about handling such requests.
A DSAR is a request made by an individual to a ‘data controller’ (in this context an employer) to have access to their ‘personal data’. It can be made in writing or orally.
‘Personal data' means any information that can be used to identify a living individual. For example, it can include their name, date of birth or employee identification number or other information or descriptions by which they can be identified.
Access to the data must be provided promptly and normally within one month of receipt of a valid request. This may be extended by two further months in some circumstances such as if the matter is particularly complex or where there are numerous requests.
Given the number of documents that can be returned by a DSAR and the time often involved in locating and reviewing the information (see below, under ‘Locating the data’ and ‘Reviewing the data’) it is important to start the searches quickly.
This can take a significant amount of time. This is because, although the requirement is to carry out a ‘reasonable and proportionate’ search only, the information may be held in a wide range of places in the employment context. For example, this would include not just HR files but also emails and notes of meetings which may be held by various custodians in different places.
Before providing the data, checks should take place to see if it includes any third-party personal data where you may need to either obtain consent from that individual before disclosing the data or redact or withhold any data. Certain exemptions may also apply which mean you are not required to provide certain categories of personal data. For example, it may be covered by legal privilege.
The data should be provided in a secure and easily accessible way with certain prescribed information about what has been provided to them.
Employees who believe there has been non-compliance may complain to the Information Commissioner (or the Data Protection Commission in Ireland), who has wide powers of investigation. They can also apply to court for a compliance order and seek compensation.
Ultimately the Information Commissioner (or Data Protection Commission in Ireland) has the power to levy fines. Although we are not aware of any fines having been imposed to date, the maximum fine under the GDPR is up to €20 million Euros or 4% annual turnover, whichever is higher.
Businesses may face reputational damage if they are found to have failed to comply with their obligations.
Many businesses have processes in place for handling DSARs. Employers may want to keep this under review to ensure this remains fit for purpose and is working efficiently and effectively. They may also want to consider putting in place training for the relevant parts of the business and seeking advice for trickier DSAR issues.
This note is information only and is not legal advice.