News and Events

Dealing with Data Subject Access Requests

View profile for Chloe Pereira
  • Posted
  • Author

Many employers are seeing an increase in employees making data subject access requests (DSARs). Any individual is entitled to request copies of their personal data held by a data controller. In an employment context, often when a relationship is strained, an employee will make such a request in the hope they will uncover a smoking gun, or as a tactical manoeuvre, to perhaps encourage the employer to enter into a settlement agreement.

We’ve set out some key points to note if you are faced with a DSAR:

  1. The employer must respond “as quickly as possible, no later than one calendar month starting from the day they receive the request”. 
  2. The employee is entitled to copies of their personal data (with a few exceptions, mentioned below).
  3. Personal data means information which either directly identifies the employee from the information in question, or which indirectly identifies them from that information in combination with other information. 

4.If the personal data you identify also includes information relating to another individual (e.g. the employee has asked for emails from someone else’s inbox and those emails will identify that person from their address), unless that individual has consented, you have to consider whether or not it is reasonable to disclose the information without consent.  

5.If it is not reasonable to disclose the information without consent, you should consider whether, by redacting information (in particular information that would identify the other individual), it would be possible to provide the employee with at least some of the personal data sought.  If so, you should redact that other individual’s personal data and disclose to the data subject.

6.Information that is not personal data at all, for example, a general reference to the employee’s place of work, would fall outside the scope of the subject access request and there would be no requirement to disclose it / that information can be redacted.  

7.Some information that you come across may fall under an exemption, in which case you would not need to provide the information at all / that information can be redacted.  For example, the most common exemptions are legal professional privilege, the protection of the rights of others and management forecasts (which applies to personal data processed for the purposes of management forecasting or management planning and disclosure of such information would prejudice the conduct of the business).  

8.The ICO has a list of the exemptions from disclosure, along with a host of other useful information relating to DSARs, on its website.