Most employers know that employees have a legal right to access ‘personal information’ about themselves. Frequently used as an addition to an acrimonious grievance or a tribunal claim, the process is often known as a Subject Access Request (SAR).
The right of employees to access their personal data is not new. It has existed in data protection law for decades. But the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 – perhaps the most significant legal developments of 2018 for employers – strengthened this right of access.
It may come as a surprise to employers how easy it now is for employees to exercise this data right. Gone is the old right to charge £10, employees can now make a SAR free of charge, verbally or in writing (including via social media). This ease of access has in turn led to an increase in the number of SARs made to employers.
When that almost inevitable SAR lands on your desk, or in your inbox, would you know how to deal with it?
We find that having in place a procedure for handling SARs makes them much easier to deal with and takes the stress out of what can be a challenging situation, as well as ensuring that your team consistently complies with stringent GDPR requirements.
If you are already in dispute with the employee (or former employee) submitting the request, it also helps to be able to point to a policy if they complain about how it is handled.
A SAR procedure can be brief but should cover all the essentials on the ‘who, how, where and when’. It should minimise the chances that an employee complains to the regulator, the Information Commissioner’s Office (ICO), that you have failed to respect their data rights. The ICO’s enforcement powers include imposing significant monetary fines on non-compliant employers. We have helped some of our clients get out of hot waters with the regulator, but would prefer them not to be there in the first place.
Under GDPR, employers also have to be more open with employees about their data rights and who they should contact if they want to see their personal data. This is often covered in an employee privacy notice and in data protection training for staff. Again, we can help you formulate these policies to make sure everyone’s data is handled as it should be.