Factsheet: Subject Access Requests and GDPR

What is a data subject access request?

A subject access request, otherwise known as an ‘SAR,’ is a written request to a company or organisation, in which an individual asks for access to any personal information that that business may hold about them.

Under the terms of GDPR, which became law within the UK on 25^th May 2018, it is a legal right for any citizen within the UK to access any personal information that a company may hold about them. They can exercise this right at any point, and at no financial cost.

In detail, a person has the right to request:

• Confirmation their data is being processed
• Access to their personal data
• Any other supplementary information (E.g. Information that may normally be provided by a business’s privacy notice)

Data subject access requests are relatively easy to make on the part of the individual or employee, but they can also be problematic or time-consuming for employers. Their primary use is for individuals to check that their personal data is being processed lawfully in accordance with GDPR regulations, but employees can also use subject access requests as a legitimate fishing exercise prior to instigating legal action.

What is GDPR?

General Data Protection Regulation, or GDPR, came into force in 2018, and replaces the current Data Protection Act 1998. It harmonises data protection laws across the EU, and updates the previous regulations to take full account of globalisation, and the ever-changing technology landscape. Businesses will now need to demonstrate that they comply with the regulation when handling personal data.

The regulation applies to any company processing the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour. Significant penalties can be imposed on employers who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater. The level of fine will depend upon the type of breach and any mitigating factors, but they are designed to strongly penalise any employers who show a disregard for the GDPR.

What is classed as personal data?

Personal data refers to data that relates to a living person who may be identified from the data (or from data and any other information that a business may be in possession of, including any expression or opinion about the individual, or indications in respect of the individual).

It is classed as information that relates to the individual in his or her personal, family, business or professional life where the individual is the focus or central theme of the information.

The GDPR regulations apply to the processing of personal data that is:

• Wholly or partly by automated means; or
• The processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

Personal data only includes information relating to natural persons who can be identified, or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive, and they can only be processed limited circumstances.

Why must employers comply with new regulations?

You must legally comply with all regulations relating to subject access requests under the terms of GDPR. A failure to meet a stipulated deadline, or to provide an employee with the legally correct data that they have requested, could potentially leave you facing significant penalties.

The Information Commissioners Office, or the ICO, who uphold and regulate the terms of GDPR within the UK, have a range of enforcement tools available, depending on the severity of the offence committed by the employer. These include issuing warnings, reprimands, ordering compliance, and issuing fines.

How can I tell what is a valid subject access request?

A valid data subject access must be made in writing, but there is no particular prescribed form. You must also be satisfied as to the identity of the data subject, and should not automatically assume that the person making the request is necessarily who they say they are.

If a request is submitted via a third party, such as solicitor, then you must also be satisfied that the request has been authorised by the individual in question.

Is there any information that employers don’t have to disclose?

Under the terms of GDPR, as an employer you may be able to withhold personal data if you feel that disclosing it could ‘adversely affect the rights and freedoms of others.’ Current exemptions which are still relevant to employers under the terms of GDPR include:

• Confidential references – If you have provided a confidential reference about an employee to another company, you do not have to provide this information to the employee in question, as long as it was provided to benefit their education, training or employment.
• Publicly available information – If an SAR is made in relation to data that is already clearly accessible to the public, you do not have to provide this to the individual in question. This exemption only applies to information that is required by law to be published.
• Crime and taxation – Information pertaining to the prevention or detection of crime, the capture or prosecution of offenders, or the assessment or collection of tax is exempt from disclosure.
• Management information – Data that is processed for management forecasting, planning or serious business restructures, including plans for dismissals or restructures, does not have to be disclosed to an individual.
• Legal advice and proceedings – Personal data is also exempt from the right of subject access request if consists of information that could be defined as ‘legal professional privilege’ within a UK court of law.

Are there any circumstances in which an employer can refuse a subject access request?

Under the terms of GDPR, an employer can reserve the right to withhold disclosing personal data if they can demonstrate that disclosing it could ‘adversely affect the rights and freedoms of others.’ The UK government also holds further exemptions on matters such as national security, defense and public security.

Is there a timeframe for responding?

Under the new GDPR regulations, UK employers are required to respond to an SAR ‘without undue delay, and in any event within one month of receipt of the request.’ Under previous data protection laws, the limit was slightly longer at 40 days.

However, despite the time limit specified being reduced since GDPR, employers are also allowed to extend the official deadline by up to two months (three months in total), in circumstances where requests are deemed to be ‘particularly complex or numerous.’ If this remains the case once information gathering begins, the company in question must also contact the individual who has made the request within one month of their original contact, with adequate information to explain why an extension to the deadline will be necessary.

As an employer, you must provide good evidence as to why the delay is necessary, but it is highly unlikely that you will be challenged by any official bodies as long as the need for a longer process is properly evidenced.

How has GDPR changed subject access requests?

Some differences have been detailed above, but a basic checklist of differences that have emerged for subject access requests since the introduction of GDPR include:

• Time to respond – This has reduced from 42 to 30 days, with a period of 3 months extension allowed for complex or multiple requests
• Fees – Previously, individuals were required to pay a small fee of £10 when making an SAR. This payment has now been abolished. Employers may only charge a fee if a request is found to be excessive or unfounded.
• Unfounded or excessive requests – Employers can legally charge for requests that fall into either of these categories, and they may also be able to show evidence that such requests are too difficult or time consuming to execute.
• Electronic access – Businesses must make it possible for employees to make a subject access request electronically. The information must also be provided via a commonly used electronic form.
• Right to withhold data – Any employer has the right to withhold data that they can prove would be ‘adversely affecting the rights and freedoms of others’ if it were to be disclosed.

Subject access requests – an employer checklist:

1. You must reply without delay, and within one month, starting from the day on which you receive the SAR.
2. If you look into the request and decide that is too complex to answer within the month stipulated, then you can apply to extend the period of compliance by a further two months. However, you must still inform the individual of this within the original one-month deadline.
3. You must provide the individual with a copy of their personal data requested via the subject access request free of charge.
4. You can charge a ‘reasonable’ fee when a request is found to be unfounded or excessive, especially if it is repetitive.
5. You can also charge a reasonable fee for requests of further copies of the same information
6. You must also provide the information required in a commonly used format, that is acceptable to the individual in question.