Employment Law: Subject Access Requests | November 2020
Here at cHRysos HR Solutions, we have been involved in a number of potential disciplinary cases in the last 12 months where the immediate response has been for the individual employee to submit a Subject Access Request (SAR). In light of this, this month's Employment Law update is more of an 'aide memoire' on these regulations, especially in light of the Information Commissioners Office (ICO) recently updated guidance.
In short, the ICO outline:
- Individuals have the right to access and receive a copy of their personal data, and other supplementary information - a subject access request or ‘SAR’
- Individuals can make SARs verbally or in writing, including via social media
- A third party can also make a SAR on behalf of another person
- In most circumstances, you cannot charge a fee to deal with a request
- You should respond without delay and within one month of receipt of the request
- You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual
- You should perform a reasonable search for the requested information
- You should provide the information in an accessible, concise and intelligible format
- The information should be disclosed securely
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
The ICO advise all employers to develop company guidance for all levels in the organisation and ensure this is reflected in your HR policies and procedures. Employers also need to ensure that there is a trained individual for handling and responding to all SARs and provide general training for all employees to recognise a SAR. This is vitally important as the clock starts ticking as soon as the SAR is received, and you have one month to respond - although in certain cases this may be extended.
Asset registers – How you store personal data is key and employers are strongly encouraged to maintain information asset registers which state where and how you store personal data.
Produce a checklist – in following this it enables the responsible staff and the employer to maintain a consistent approach to handling SARs – who, what, why, when, how etc.
What works for you will depend on several things such as how big an employer you are, how many SARs you receive and, not least of all, the type of personal data you are processing.
Employers are strongly encouraged to go to the Information Commissioners Office website for further detailed information and guidance on SARs.
In addition, the Information Commissioners Office has provided an Accountability Framework Self-Assessment to help employers/organisations assess the extent to which they are currently meeting the ICO’s expectations, in relation to accountability towards GDPR. Click here for more information on this.
Finally, at the time of writing, the government had just announced the new COVID 19 restrictions with a second ‘lockdown’ to come into effect on Thursday 5th November 2020. We will be looking closely at what happens and what advice and guidance the government will be issuing to employers and employees and provide an update in the December 2020 Employment Law Update.
cHRysos HR Solutions is a Doncaster based HR training and consultancy company providing CIPD and CMI accredited qualifications, Apprenticeships and HR Services to SMEs, nationwide. For more information about how cHRysos HR can help you successfully achieve further qualifications contact us on firstname.lastname@example.org or call +44 (0)1302 802128.