Tackling Subject Access Requests from staff – top tips for employers
- 57% of EU citizens polled indicated greater awareness of their data protection rights since the introduction of GDPR.
- Individuals in the UK complain about data protection more than all other EU member states.
- The UK has the highest number of data breach notifications concerning unlawful disclosures of personal data.
- 47% of businesses fear they still don’t meet the requirements for GDPR.
- Since March 2019 there has been a 20% increase in data protection complaints across EU member states.
What is a SAR?
A subject access request enables individuals to find out what personal data you (the “Data Controller”) hold about them, why you hold it and who you disclose it to. For information to be personal data, it must relate to a living individual and allow them to be identified from it, directly or indirectly.
Employees and workers often make Subject Access Requests to current or former employers to obtain information relating to their employment. Requests are often made when an employee has raised a grievance, after a disciplinary process is commenced, or with a view to pursuing a Tribunal claim.
Once a request is made you only have one month to respond to the request, unless you are able to justify an extension of up to three months.
Responding to requests can be hugely burdensome due to the time it takes to identify, search and gather the personal data requested.
What if you fail to comply with a SAR?
A failure to meet the deadline or provide staff with access to all the data they request could expose you to significant risk and penalties.
In the UK the data protection supervisory authority is the Information Commissioner’s Office, which has a range of enforcement tools available including issuing warnings, conducting audits, ordering compliance and imposing large fines.
Practical tips on dealing with requests
Dealing with Subject Access Requests can be really difficult for employers, however our practical tips should assist with minimising their impact.
- Reduce the volume of data you hold – if you have a robust system of retention and deletion of documents it will help reduce the number of emails and other documents to review.
- Ask if there is anything they are specifically looking for – in the majority of cases the individual is looking for something in particular. Requesting that they reduce the scope of their request by a date range or email sender will help considerably.
- Make sure the person responsible for conducting the search understands the definition and meaning of “personal data” and “sensitive personal data” so that it can be identified quickly and easily.
- Extract data or provide documents? – when providing someone with access to their personal data you cannot disclose someone else’s personal data. You may therefore have to redact the documents, which can be time consuming. An alternative may be to extract the relevant data from the documents and provide it to the person making the request in a different format.
- Rethink what you put in writing – if something isn’t written (hard-copy or online) it won’t need to be disclosed.
- Use a data room or other secure mechanism to provide the documents to the employee, this will be easier for you to upload, rather than trying to send a huge file via email.
How can we help?
- Advice on data protection compliance and responding to Subject Access Requests. This can be adhoc advice or ongoing support as part of our HELP service.
- Letters and documents for acknowledging and responding to the request.
- Access to a secure data room, which is an efficient, safe and compliant way to provide the data.
- In-house assistance - responding to requests can be a huge task. We can help project manage your response by identifying what data you should be looking for and where, as well as assisting with the provision of the data and redaction of documents.
- Training your staff so they know how to best deal with a request to save time in the future.