Beleaguered by Data Subject Access Requests? You shouldn’t be

I am finding that employers are increasingly being asked to respond to Data Subject Access Requests from employees or former employees. Employees are entitled to access personal data about themselves. Specifically, processed information recorded about them, for the purpose of checking whether the data controller’s processing of their data does not unlawfully infringe their privacy and if there has been an infringement, to take steps to protect their data.

There seems to be much confusion amongst employees and their advisors as to the ambit of a Data Subject Access Request.

The law protects and gives rights to “data”  that is information being processed automatically by computer in response to instructions given for that purpose and recorded as part of a relevant filing system, or with the intention it should form part of an electronic filing system. A relevant filing system includes any set of information relating to the individual whether electronically or manually stored, where the set of information is structured either by reference to the individual or by reference to criteria relating to the individual in such a way that that specific information is readily accessible.

It is not a process to enable disgruntled employees or their lawyers to go on a fishing expedition to obtain documents to:

1. pursue or which may assist in pursuing litigation;
2. to access any information in documents in which an individual may be named or involved;
3. to seek to embarrass the employer.

Data Subject Access Requests need to be responded to within 40 days. Such requests should be dealt with promptly, but strictly within the parameters for which the protection was meant.

If you require further information about the above topic, please contact Rachel Harrap or a member of the Employment Team at Edwin Coe.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now