Following the success of last year’s Knowledge November where we took a really in-depth look at Shared Parental Leave, this year we are focussing on Subject Access Requests by employees under Section 7 of the Data Protection Act. Under that Section, a data subject can request certain information regarding personal data and how it is processed by you as Data Controller in relation to their data and typically, in the employment context, you are a Data Controller because you hold personal data and process it in relation to things like pay and benefits, disciplinary and sickness records and so on. Throughout the month of November we will be exploring the form that such requests might take, when you might need to verify the identity of the person making the request, the time limit for providing a response, your obligation to search for personal data, your response, the statutory exemptions and the enforcement provisions. We will also be looking at some Frequently Asked Questions that we receive in relation to Subject Access Requests (SAR). For those in HR who tend to forget about the Data Protection Act, what’s happening at Morrisons where they are being sued by staff for breach of their data security after their personal and financial details were posted online reminds us that it is an issue we can’t afford to ignore.
We will be covering:
- What is a SAR? How to recognise one.
- The timescales involved
- The use of social media
- Finding the information needed
- Filtering Data
- Non-compliance and the penalties involved
Each Thursday during November a video will be available dealing with a different issue arising under this new legislation. There will also be an opportunity to ask a question on this topic and receive a FREE answer. All the questions and answers will be shared on our web site so you will be able to see what has been asked and what the answer was.
What is the purpose of a Subject Access Request?
The Information Commissioners’ Subject Access Code of Practice explains that the purpose of a Subject Access Request is ‘to enable individuals to find out what information is held about them, to check its accuracy and ensure it is up to date and, where information is incorrect, to request correction of the information or compensation if inaccuracies have caused them damage or distress’.
However, I am sure you will all be aware that employees commonly use this right as a way of gathering information from their employer that might support a prospective Employment Tribunal Claim. It is worth noting that in the case of Durant v Financial Services Authority the Court of Appeal pointed out that the purpose of Section 7 isn’t to enable an individual to obtain discovery of documents that might assist him in litigation or complaints against third parties, but the Information Commissioner takes the view that if a Data Controller were able to avoid complying with a request simply because the person making it was contemplating (or had begun) legal proceedings it would seriously undermine the right of access afforded by Section 7. In the Code of Practice they state that there is nothing in the legislation limiting the purposes for which a Subject Access Request (SAR) may be made or, indeed, which requires the requester to tell you what they want the information for. Later we will consider the extent to which the Courts may limit the extent to which an employer will comply where somebody is merely using SAR to try and obtain documents to assist an illegal claim.
Video – an introduction to Subject Access Requests.
You can view Anna’s video here
When was the last time you reviewed your Data Protection policies?
We offer the following services:
- Full Data Protection Audit
- Advice on the storage and retention of data
- Handbook policies for staff – setting out what data is held about them and why (there is an obligation under the Act to set out the purpose for which data is being held)
- Subject Access Request support
- Data Protection training for HR
It is important that employers maintain the confidence of their workforce by being transparent about the personal information they hold.