I am finding that employers are increasingly being asked to respond to Data Subject Access Requests from employees or former employees. Employees are entitled to access personal data about themselves. Specifically, processed information recorded about them, for the purpose of checking whether the data controller’s processing of their data does not unlawfully infringe their privacy and if there has been an infringement, to take steps to protect their data.

There seems to be much confusion amongst employees and their advisors as to the ambit of a Data Subject Access Request.

The law protects and gives rights to “data”  that is information being processed automatically by computer in response to instructions given for that purpose and recorded as part of a relevant filing system, or with the intention it should form part of an electronic filing system. A relevant filing system includes any set of information relating to the individual whether electronically or manually stored, where the set of information is structured either by reference to the individual or by reference to criteria relating to the individual in such a way that that specific information is readily accessible.

It is not a process to enable disgruntled employees or their lawyers to go on a fishing expedition to obtain documents to:

  1. pursue or which may assist in pursuing litigation;
  2. to access any information in documents in which an individual may be named or involved;
  3. to seek to embarrass the employer.

Data Subject Access Requests need to be responded to within 40 days. Such requests should be dealt with promptly, but strictly within the parameters for which the protection was meant.

If you require further information about the above topic, please contact Rachel Harrap or a member of the Employment Team at Edwin Coe.

Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.

Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.

Please also see a copy of our terms of use here in respect of our website which apply also to all of our blogs.

Latest Blogs See All

Share by: