Subject Access Requests: Frequently asked questions from employers

posted by KeithDaniel

Recently we have received an increase in queries from various employers with respect to their employee’s making data subject access requests, especially where an employee is currently subject to an internal performance / sickness absence management or a disciplinary process.

Against the backdrop of more of us now working from home, either on a full-time basis or as part of a hybrid working model, more electronic communications are now being sent which could potentially be caught by a subject access request (SAR). For instance, any correspondence sent via Microsoft Teams or Whattsapp could be disclosable as part of a SAR. We therefore thought that now was a good time to address some frequently asked questions we have received with respect to SAR’s.

1) What is a subject access request (SAR)?

Under Article 15 of the UK General Data Protection Regulations, (GDPR) an individual has the right to request from a data controller copies of any documents/correspondence containing their personal data.

2) What is personal data?

Under the UK GDPR, personal data is defined as “any information relating to an identified or identifiable living individual”. In the employment context, an employee’s personal data will be contained within their personal file, payroll system and appraisal forms, but will also no doubt be included in emails, meeting minutes, handwritten notes, work WhatsApp chats, etc.

3) How long do we have to respond to a data subject access request?

A SAR must be dealt with without undue delay and within one month of receiving the request. However, the one-month period can be extended by a further two months, where necessary, having consideration to the complexity and number of requests.

An employer must inform the employee within one month of receiving the request whether they will need any extension. The reasons for the delay must also be provided.

4) What if the documentation requested contains the data of other individuals?

In this situation, an employer cannot disclose the personal information of another individual unless the individual has consented to the disclosure or it is reasonable to disclose the information without the consent of the other individual. However,  we would advise that specific advice is sought in this circumstance as it may be impracticable to seek consent especially where doing so would involve the disclosure of the data subject’s personal data to another individual/third party. Furthermore, it may be impracticable to seek consent where it would not be appropriate for a third party to know that the data subject has made a SAR.

An alternative option for an employer is to redact the personal data of other individuals. 

5) Do we need to provide copies of correspondence sent between the employer and its lawyers / external HR consultants?

Any correspondence sent between the employer and its legal advisers which was created for the purpose of seeking or giving legal advice would be subject to legal advice privilege and would therefore not be disclosable as part of the SAR.

However, correspondence sent between the employer and an external HR consultant would not normally be covered by legal advice privilege and would there be disclosable. Therefore, employers should always bear in mind that any correspondence sent between colleagues (including HR) which relates to an employee is likely to be disclosable.

SAR’s are therefore a useful weapon for a disgruntled employee and are often regarded by employers as overly burdensome - they cost a significant amount of management time and expense in complying with the request. Significantly, they have the potential to disclose a “smoking gun” document in the event unfavourable communications or communications which pre-determine the outcome of any internal process have taken place between colleagues, including HR.

In conclusion, employers should be mindful of what they commit to writing as although they may believe that they are sending a private message/email between colleagues, ultimately, it is likely to be disclosable in the event of a SAR by the employee.

If you would like more information about the issues raised in this article or any other aspect of employment law, please contact us on 029 2034 5511 or at employment@berrysmith.com