I have received a subject access request asking for “all” personal data from a current employee. How do I deal with this?
Under the Data Protection Act 2018, individuals can make a Subject Access Request (SAR) to their employer to access their personal data. Employers should have an accessible policy to deal with such requests.
Usually, the designated Data Protection Officer or Compliance Officer is the person that will respond to the request. Once you receive the SAR, you will have a month to respond. Normally SARs do not incur a cost, however, if the request is repetitive, excessive or manifestly unfounded the employer may request a reasonable fee.
The data subject should be informed:
- Whether or not their data is processed and the reasons for the processing of their data;
- The categories of personal data concerning them;
- Where their data has been collected from if it was not collected from them;
- Anyone who their personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
- How long their data is kept for (or how that period is decided);
- Their rights in relation to data rectification, erasure, restriction of and objection to processing;
- Their right to complain to the Office of the Data Protection Commissioner if they are of the opinion that their rights have been infringed;
- The reasoning behind any automated decisions taken about them.
An employer may refuse to deal with a request, or part of it, because of the types of information requested. For example, information that is subject to legal privilege or relates to management planning is not required to be disclosed.
Where this is the case, the data subject should be informed that their request cannot be complied with and an explanation of the reason will need to be provided.
If you have any questions in relation to subject access requests, please contact the advice line on 01 886 0350