The rules on subject access requests changed under the GDPR.
The right of access, commonly known as subject access, allows employees to make a request to access personal data that is held by their employer.
In brief, employers need to provide the employee with confirmation of whether or not personal data is being processed. They provide them with a copy of their personal data. In addition, they should be provided with further details, such as the purpose of the processing, the categories of personal data concerned and with whom the data may have been shared.
From an employer’s perspective, receiving a subject access request can be time-consuming, costly and inconvenient. Unfortunately, it is like going to the dentist, it needs to be done!
How should employees make subject access requests to their employer?
The GDPR does not specify the way in which requests must be made, so requests may be made verbally or in writing. Some employers may choose to provide a paper or online form for employees to make a request. But remember that even if you have such a form, employees are within their rights to send in a request by some other means. This may be in person or by sending a letter or email.
Just because the employee’s written request does not include an explicit reference to the GDPR or the words ‘subject access request’ does not mean it is not valid and the request shouldn’t be dealt with.
Can employers charge a fee to deal with a subject access request?
Before the GDPR was introduced, employers could charge up to £10 to deal with the request. However, now employers cannot charge a fee unless the request is ‘manifestly unfounded or excessive’ or if the employee asks for additional copies (i.e. you have already given them a free copy). The fee should only be to cover the administrative costs of providing this information.
How long do employers have to deal with requests?
Employers are required to deal with subject access requests within one month of receiving it. This can be extended by two months where the request is complex and numerous.
Employers can often find it difficult to comply with the request in this timeframe. So it is essential to get started with locating the information as early as possible.
Do employers need to explain the data?
The information provided to the employee must be in a concise, transparent, intelligible and easily accessible form. It should also use clear and plain language.
Got some more questions?
The ICO have detailed guidance on about subject access requests here. In addition, they have a helpline, details of which are here.