Getting it Right with Subject Access Rights

At any given time an employee can ask to see any personal data that their employer holds on them. This is known as a 'subject access request', and when it happens employers need to tread very carefully.

Subject access requests are a powerful tool for a disgruntled employee and can cost a business both time and money. They also have the potential to open a can of worms in terms of the documents that they uncover, which could prompt an employer to settle a dispute unnecessarily. It's important therefore to be well informed when it comes to an employee's subject access rights.

Employee Rights on Subject Access Requests

Under s.7 of the Data Protection Act 1998, employees have the right to make a subject access request to ask for copies of the personal data their employee holds on them. They also have the right to receive information on how that data is stored and processed.

The Subject Access Rights Checklist

There is a set procedure that employers must follow when dealing with subject access requests:

  • Check that the subject access request has been made correctly and that the £10 fee has been paid and received, as the timeframe for responding does not start until this point. This could therefore buy you some valuable extra time.
  • Deal with the request as soon as possible. It's a time consuming process, and you'll need to remember to build in time for your legal team to review the request, and consider whether there is any third-party personal data which will need to be redacted.
  • An employer has the right to narrow the focus of a data search where the request for data is particularly wide. For any electronically stored data, it is important to agree a time frame for the search, as well as agreeing search terms with the employee.
  • Consider using document management systems or litigation support if there is likely to be a large volume of data.
  • If you are conducting settlement discussions with your employee, try to reach an agreement with them that subject access requests will be put on hold until all discussions are concluded. If discussions break down, try to extend the deadline for the search with the employee.
  • Make sure the subject access request is with withdrawn if a settlement is agreed.
  • Remember that the normal rules of privilege apply and any documentation created for the purpose of legal advice or because litigation is being contemplated should be excluded.
  • Think about providing the documents electronically rather than in a hard copy format, as this will save you both time and money.

2018 Changes to the Law Surrounding Subject Access Requests

Having said all of this, the law is set to change in 2018, and employers may need to rethink how they deal with Subject Access Requests. The General Data Protection Regulation (GDPR) will require employers to respond to Subject Access Requests in a shorter timeframe than that which currently applies under UK data protection laws.

This is why it's so important to follow a defined process for handling subject access requests, such as that outlined in the checklist above. Failure to meet the deadline could result in a significant fine under the new regulation.

Look out for further updates from Office Assistants on how GDPR will affect subject access requests and be sure to consult your legal advisers when handling any form of request, no matter what the circumstances.

Back to Main News Page

Regular Bulletins

Sign up to our regular Office Assistants newsletter and get special offers and discounts.

Sign up



Free e-mail reminders

A free, easy way to remember when crucial payments are due and paperwork needs to be prepared.

Get your reminder

Investors in PeopleThe Institute of Certified Bookkeepers

Company's Practice Number: 4635