A Data Subject Access Request, known as a DSAR, is just a written request made by an employee to their employer for information. All employees are allowed to request certain information from their employer and you would usually expect to see a DSAR from an employee as part of a grievance, disciplinary or employment tribunal process.
The information that employees can request from their employers are in section 7 of the Data Protection Act 1998 (DPA). DSARs usually request:
- confirmation about whether any personal data is being processed about them;
- a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- copies of information comprising the data; and
- details of the source of the data (where this is available).
Once an employer has received a DSAR from an employee, they must respond within 40 days of receipt. The employer can charge up to £10 for dealing with the DSAR but practically, responding to the DSAR will cost much more than that for the Human Resources team to process.
When responding to a DSAR, the Human Resources team should remember that their employee seeking access to his or her personal data is not required to justify or explain their request in any way. They should also carefully check whether the information requested falls within any of the exemptions.
Human Resources teams should be wary of dealing with DSARs which are made to obtain pre-action disclosure. Although it can be tempting to respond to an excessive DSAR arguing that it would be disproportionate to reply, a couple of cases (Ashley Judith Dawson-Damer and others v Taylor Wessing LLP and others (2015) and Gurieva v Community Safety Development Ltd (2016)) have highlighted:
- That it is a high hurdle to clear to show that a request is not proportionate
- That there is a real difficulty in convincing the Information Commissioner’s Office and the courts that DSARs should be dismissed as an ‘abuse of process’
- That just because an employer is taking advice from a solicitor, this does not necessarily mean that the employer can apply the legal professional privilege exemption to all of the data held about the employee to prevent disclosure.
Changes Are Coming
From 25 May 2018, the General Data Protection Regulation, known as the GDPR, will apply in the UK, irrespective of Brexit.
The GDPR contains a new framework which applies to ‘controllers’ and ‘processors’. It will affect most employers who are currently subject to the DPA. The key changes for employers are as follows:
- The timeframe for responding to a DSAR will be reduced from 40 days to one month. Most employees won’t have to pay a fee as part of their DSAR, unless the request is “manifestly excessive”;
- Employers will need to comply with new limits on ‘profiling’ their employees. This relates to computer data on many of their preferences, behaviour and performance.
- Employers may need to carry out changes to their data protection compliance which could include appointing a Data Protection Officer, also known as a DPO;
- Employers will need to notify the ICO (and any other relevant bodies) of a data breach that will cause the employee affected some form of damage, within 72 hours;
- If an employer carries out a criminal conviction check before hiring a new employee, there will be a new piece of legislation enacted to deal with this ‘sensitive personal data’.
If you need help to respond to a Data Subject Access Request or you need to know what constitutes ‘personal data’ within the meaning of the Data Protection Act, we can help. We can also make sure that you comply with the Freedom of Information legislation.
Call us on 0117 926 4121 or make a free online enquiry now.