I am finding that employers are increasingly being asked to respond to Data Subject Access Requests from employees or former employees. Employees are entitled to access personal data about themselves. Specifically, processed information recorded about them, for the purpose of checking whether the data controller’s processing of their data does not unlawfully infringe their privacy and if there has been an infringement, to take steps to protect their data.
There seems to be much confusion amongst employees and their advisors as to the ambit of a Data Subject Access Request.
The law protects and gives rights to “data” that is information being processed automatically by computer in response to instructions given for that purpose and recorded as part of a relevant filing system, or with the intention it should form part of an electronic filing system. A relevant filing system includes any set of information relating to the individual whether electronically or manually stored, where the set of information is structured either by reference to the individual or by reference to criteria relating to the individual in such a way that that specific information is readily accessible.
It is not a process to enable disgruntled employees or their lawyers to go on a fishing expedition to obtain documents to:
- pursue or which may assist in pursuing litigation;
- to access any information in documents in which an individual may be named or involved;
- to seek to embarrass the employer.
Data Subject Access Requests need to be responded to within 40 days. Such requests should be dealt with promptly, but strictly within the parameters for which the protection was meant.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.