In this third in our series we look at how you respond to a request and what you actually need to disclose, and what to do if you think the employee has already had it.
What if we’ve already given material to the employee?
You may have been in correspondence with an employee, for example regarding a grievance, when you receive your Subject Access Request. If you’ve already sent letters to that individual, do you have to give them again as part of dealing with the request? Firstly, I’d suggest negotiating with the employee as to whether they want duplicate copies of recent correspondence, or whether they consent to receiving a list together with any further information that you will be required to give when answering the request. However, if they insist on receiving copies, you will have to supply the information because the obligation under Section 8 of the Data Protection Act refers to providing the data subject (here the employee) with a copy of the information in permanent form unless it is not possible or would involve disproportionate effort or the data subject agrees otherwise.
It is worth reading the Information Commissioner’s Data Protection Guide and, in particular, the question ‘what about repeated or unreasonable requests?’ It is interesting that the Commissioner’s attitude is that negotiating with the requester is acceptable – it says ‘in practice we would accept that you may attempt to negotiate with a requester to get them to restrict the scope of their subject access request to the new or updated information; however, if the requester insists upon a full response then you would need to supply all the information’.
Video
Our video this week looks at the filtering that you need to go through before disclosing copies of the data and what needs to be included in a response.
How to disclose information safely
The Information Commissioner has recently published guidance to organisations releasing data in response to a Subject Access Request relating to ensuring that personal data that shouldn’t be disclosed (for example because it is personal data relating to a third party) is not included in a Subject Access Request. See the document here.
The guidance draws particular attention to the way in which software packages often work for example to provide information which on its face appears not to contain personal data whereas in fact there is a copy of individual data embedded within it and capable of being accessed within a couple of clicks. It suggests exporting data to a CSV (Comma Separated Value) file – a kind of formatting which often shows whether there is such hidden data – you could then go through it and redact/black out the information relating to third parties. It also draws attention to how you can redact electronic documents but even if you have blacked out certain words or paragraphs electronically it can still be possible to read what is beneath the black marking and gives tips as to how to avoid these problems.
Have you ever thought about undertaking a mock Subject Access Request exercise?
We can assist you with a training exercise to help line managers understand the extent of their duties and ensure those who will be dealing with requests know how to answer them. For more information email Anna
Questions?
Email Anna for free advice on Subject Access Requests. All the questions and answers will be available on our web site