Demystifying Subject Access Requests
From time to time, companies will receive requests from members of staff, job applicants or former employees for access to their personal data. Under the Data Protection Act, these are known as subject access requests.
What should a company be aware of?
There are strict legal requirements that companies need to comply with regarding such requests and the obligations extend beyond personal data held by a company as an employer to personal data held on the company’s behalf by a third party.
Frequently Asked Questions
Q. Does a Subject Access Request (“SAR”) need to be in writing?
A. Yes, an SAR must be made in writing. Any written request by an individual asking for their personal information is an SAR, whether it refers to the Data Protection Act or not.
Q. Does a fee have to be paid first of all?
A. An employer is entitled to await payment of any requested fee (maximum of £10) before handling an SAR.
Q. Can an employer ask for more information before responding to a subject access request?
A. An employer can ask for information to judge whether the person making the request is the person to whom the personal data relates and also seek information they reasonably need to find the personal data covered by the request.
Q. What if a company cannot access the information that has been requested?
A. If an employer does not have access to the requested information or it does not exist, the applicant should be informed in writing as soon as possible.
Q. Can an employer alter requested information?
A. No, an employer cannot make changes to information, even if the information sought is inaccurate or embarrassing.
Q. What if it is time consuming or expensive?
A. Dealing with a SAR can be an onerous task and under the Data Protection Act, an employer is not obliged to provide a copy of the information in permanent form if it would involve disproportionate effort to do so. ‘Disproportionate’ is not defined and so there may be some limited scope for an employer to argue that complying with the request would outweigh the individual’s right of access. However, this does not mean an employer can refuse to deal with a SAR request, only that they may argue about the expense involved in supplying the data. Therefore, relying on this exception is likely to be relevant for exceptional cases only.
What we can do for you?
Dealing with subject access requests can be difficult and time consuming. We can help you with the process should you receive such a request, particularly if litigation is a possibility.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Aeris Employment Law Ltd will be pleased to discuss resolutions to specific legal concerns you may have.