A report of employee data controversy, employee grievance cases, and regulatory complaints frequently start with one question: Which information do you have on me? The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 of the United Kingdom attach considerable legal importance to that question.
This formulates GDPR Courses to assist organisations learn and applying fundamental GDPR Requirements that regulate the process by which employers gather, retain, and share employee data. In this blog, we will explore what a Subject Access Request (SAR) is and the key Compliance Requirements for Employees’ Personal Data Requests.
Table of Contents
- What is a Subject Access Request?
- Legal Framework Governing Employee Personal Data
- Key UK GDPR Compliance Requirements
- Exemptions and Limitations
- Best Practises for HR and Compliance Teams
- Conclusion
What is a Subject Access Request?
The right of access is formally executed through a Subject Access Request (SAR) to which an employee may exercise his/her rights. A SAR does not need to refer to a law expressly on data protection. Any request for personal information with a clear demand by the employer is a qualification.
An example would be an employee requesting, “Can you send me all the information you hold about me?” This constitutes a valid SAR.
Organisations should also identify SARS early enough and consider it as an official request for data protection, irrespective of the channel (email, letter, verbal request or using the HR system within the organisation).
Legal Framework Governing Employee Personal Data
UK GDPR is relevant to all organisations that handle personal data within the UK, including both the government and private sector employers. The employee’s personal information comprises, but is not limited to:
- Employment contracts
- Payroll information
- Performance appraisals
- Disciplinary records
- Absence and health records
- Email messages between the employee and the employer
Article 15 of the UK GDPR calls on the employees to receive an affirmation on whether their own personal data is being processed and, should it be the case, they are entitled to their own personal data, in addition to additional information concerning its utilisation.
Key UK GDPR Compliance Requirements
Employers must adopt structured and legally sound procedures when responding to employee personal data requests. The following are the GDPR requirements:
Legal and Transparent Process
The employer should make sure that personal data is handled fairly and transparently according to the law. In answering a SAR, organisations need to start by submitting:
- A copy of the personal data
- The purposes of processing
- Categories of data concerned
- Recipients or categories of recipients
- Retention periods
- Data on entitlement to correction, deletion or limitation
Transparency is central. The employees need to have a clear understanding of the way and reason for using their data.
Identity Verification
An employer should engage in reasonable efforts to ensure that they can determine the identity of a person requesting his or her personal data before releasing it. When verifying identity, organisations may:
- Confirm details already held on file (e.g. employee ID, date of birth, work email)
- Request limited additional documentation where necessary
- Use secure internal authentication systems
- Document the verification process for audit purposes
Unnecessary or excessive identification requirements are to be avoided, especially when there is an active employment relationship and a doubtful identity is not present.
Scope of Data
When responding to a Subject Access Request, organisations must conduct a comprehensive and systematic review of all data repositories. The response should have all the personal data taken across systems, including:
- HR databases
- Email servers
- Cloud storage platforms
- Archived records
A detailed in-house search is necessary. The inability to do sufficient searches can lead to regulatory investigations.
Exemptions and Limitations
All the information should not be revealed. There are some exemptions applicable under the Data Protection Act 2018, and they include:
- Third-party information that is given out would violate the rights of an individual
- Confidential allusions provided in confidence
- Legal professional privilege Information
- Management forecasting or planning data in limited circumstances
The exemptions need to be used cautiously by the employers, who should justify their reasoning.
Best Practices for HR and Compliance Teams
Organisations are required to have systemised governance measures to ensure they remain compliant:
- Have an effective SAR policy and procedure
- Educate, train HR and line managers to identify requests
- Maintain proper data inventories
- Adopt safe establishments of documents
- Maintain audit trails of SAR handling
Privacy-by-design principles embedded into HR operations help reduce the risk of compliance and create organisational resilience. Periodic audits and adherence to ICO guidelines are an additional booster to compliance posture.
Conclusion
Requesting employee personal data requires an organised processing and open responsibility in the UK under the data law. Improving the internal capability using GDPR Courses will help organisations to read and apply any changes to GDPR Requirements. It can also pose a reputational risk as well as regulatory sanctions on employers who do not comply with GDPR Requirements.
Strengthen your understanding of UK data protection law with global training provider, The Knowledge Academy and confidently meet evolving GDPR Requirements.
