Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, employees have the right to request and obtain a copy of their personal data held by their employer or former employer. This is known as making a Data Subject Access Request (DSAR). The purpose of this right is to help individuals understand what personal data is being held about them, how and why it is being used, and to ensure that their data is being processed lawfully. Employers are required to comply with these requests and provide the requested information in an accessible, concise, and intelligible format.
Making a DSAR
A DSAR can be made verbally or in writing, including via email or social media. It does not need to be directed to a specific department or point of contact within the employer’s organisation. However, it is advisable for employers to specify a preferred method of contact within their organisational data policy to ensure the requests are received by appropriate members of staff. Upon receiving a DSAR, employers must make reasonable efforts to find and retrieve the requested information.
Responding to a DSAR
Employers must respond to a DSAR without undue delay and, at most, within one month of receipt of the request. This time limit can be extended by an additional two months if the request is complex or if the employer has received a number of requests from the employee. Employers must inform the employee of any extension within one month of receiving the request and explain why the extension is necessary. If an employer holds a large amount of information about an employee, they can ask the employee to specify the particular information or processing activities to which their request relates. The time limit for responding will then be paused until clarification has been received.
Exemptions and refusals
Employers can refuse to comply with a DSAR if it is manifestly unfounded or excessive. This could include situations where a request is repetitive in nature or relates to large amounts of data. Employers must assess whether the importance of providing access to the information is proportionate when balanced against the burden or costs involved in dealing with the request. Additionally, there are multiple exemptions under the Data Protection Act 2018, such as where personal data is processed for crime and taxation-related purposes, or where data is subject to legal professional privilege.
Practical steps for employers
Acknowledge receipt: Upon receiving a DSAR, acknowledge receipt and inform the employee of the process and timeline.
Verify identity: Ensure the request comes from the person purporting to make it. This may involve requesting additional information to verify the employee’s identity.
Clarify scope: If the request is broad, ask the employee to specify the information sought to facilitate a more efficient search.
Locate data: Search all relevant systems and databases for the requested personal data. This includes emails, HR records, and any other relevant documents.
Redact third-party data: If the data includes information about other individuals, redact this information unless it is reasonable to disclose it without consent.
Provide data: Supply the requested data in a commonly used electronic format unless the employee requests otherwise.
Document process: Keep detailed records of the request, the steps taken to respond, and any decisions made regarding exemptions or refusals.
Additional considerations
Training: Ensure that staff are trained to recognize DSARs and understand the procedures for handling them.
Policy development: Develop and maintain a written policy for making and handling DSARs, including how to report and respond to requests.
Data management: Implement effective data management practices to ensure that personal data can be located and retrieved efficiently.
To ensure GDPR compliance and effectively manage DSARs, employers must adopt a proactive and structured approach. By implementing clear policies, providing staff training, and maintaining robust data management systems, organisations not only protect employee rights but also safeguard themselves from the legal and financial risks associated with non-compliance. A well-executed DSAR process enhances trust, strengthens organisational transparency, and mitigates the potential for costly penalties or reputational damage.
This article was generated using HR Advisor, an AI tool designed to assist HR professionals with employment law. If you find the content helpful, please explore HR Advisor and sign up for a free trial to see how it can benefit your HR practices.
