Back in October 2017, we wrote a blog on subject access and how employees and other parties have the right to access the data you hold about them.
Since then we have had two new pieces of legislation come into play, the big one being the General Data Protection Regulation on 25th May 2018, subsequently enacted further into British law through the Data Protection Act 2018.
So to start off with, which bits are relevant for today’s lesson?? Well firstly we have Article 15.(1) (GDPR) outlining the rights of data subjects and what they are entitled to;
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”
This particular article is quite simplistic in its language, and in the main, reflects the fact that data subjects are entitled to all records you hold regarding them and must be provided free of charge. The £10.00 fee has been abolished, however, where requests are manifestly excessive or repetitive, Data Controllers may charge appropriate admin fees, although these cannot be charges for time i.e. wages.
The Act 2018 (S.45) goes further to outline the requirements of the Data Controller and what you must do. It also explains where you can refuse a request and what must be taken into account, without infringing on the rights and freedoms of the data subject.
So what do we do if we get one or suspect we have got one??
- It would be recommended that all requests for information are treat the same, as they do not have to be in writing, they can be made verbally.
- Acknowledge the request in writing as soon as received.
- You cannot require a data subject to make a request by form, however once a request has been received you can issue a form to narrow down the information they are looking for.
- Individuals no longer have to pay a fee so you must deal with it straight away.
- Always request proof of identity before releasing information. How you do that is up to you but Passport or Driving Licence would be a good start!
- Remember you only have one month from the date of the request to release the data, if you cannot meet the timescale, you can exercise the right to an additional two months where justified, to complete the request, however, speak to your DPO first as you must communicate this to the data subject.
- Compile all the data together and if possible keep in chronological order, it makes life easier, then start redacting where required. Whilst they are entitled to the information about themselves, they are not entitled to information about others!!!
- Once the information is collated, you must also provide further information as detailed in Article 15, such as the purpose for processing the data, recipients, retention period etc.
- Ensure the information is in a format which is easily interrogated and will not make it impossible for the data subject to understand
- Keep a record of all requests received and document all the relevant dates such as date received and due date. Note in addition that ID has been received and checked to ensure it is going to the correct individual.
Other things to remember
All data regarding an individual falls into the scope of a Subject Access Request unless there is a legal reason for not being able to provide the data. This highlights the fact that you should never put in writing anything that you wouldn’t consider to be fair and factual about an employee. If you are not willing to share a comment or opinion with an employee about them, then you shouldn’t be putting it in writing. Making even fairly minor comments or remarks aren’t helpful when it comes to defending a grievance or a claim from an employee.
If you want to find out more about the ongoing effects of the GDPR regulations, read our blogs. We can also provide a DPO Service and Audit. Call 01924 827869 for more information.