Under GDPR, individuals have the right to a copy of the personal data that your organisation holds about them – often known as a subject access request. The ICO recently issued new guidance for businesses and employers about how to deal with SARs.
What the law says about subject access requests
Employers must respond to a subject access request (SAR) from a worker without delay, and within one month from receiving the request. If it’s a complex issue, you might be able to extend this for up to two months. But if you don’t respond within the right timeframe, or at all, there’s the possibility of fines or reprimand from the ICO.
In the ICO’s own words: “The right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law. What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests.”
Getting it right
What does compliance look like in practice, though? It might sound straightforward, but reality doesn’t always fit text-book scenarios.
To help your staff recognise a request, they need to know that SARs can be made in all sorts of ways: there’s no formal procedure needed. Contact can be verbal, in writing – even via social media. Questions as simple as “what information do you hold on me?” or “can I have a copy of the notes from my last appraisal?” count as SARs and need an appropriate response. There’s no necessity even to use the words ‘subject access request’ – it’s up to your organisation to identify that this is what is being made.
It’s important, too, that staff know how to respond and who to pass the request to. A valid request can be made contacting with any part of your organisation; it doesn’t have to be addressed to a specific person. But the employer’s side of the equation is different, and the ICO does expect you to have a designated person, team and email address to deal with SARs.
With more than 15,000 complaints in this area made to the ICO last year, it’s important that businesses and employers get it right. Read the ICO guidance here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-of-access/