Is it Really Personal? How to protect your business when receiving a ‘request’.

Your employee has the right to request certain data that you may hold which relates to them, under the Data Protection Act 1998 (“DPA”). Embarrassingly for some, this may include notes and emails that you may never have intended for them to see! Typically ‘requests’ are made when the parties are in dispute or litigation is contemplated. An employee may request their data in order to assist with their case or for tactical reasons to encourage settlement.

  1. Any request received must be in writing (it can be by email) but it does not have to say it is a ‘subject access request’ and also does not have to be made by the employee personally. It can be made (with their authority) by a third party on their behalf i.e. their solicitor or parent. You should ensure you have trained individuals within the business to recognise the ‘request’ as a subject access request, as there is a statutory 40 day time limit in which to provide the data once the ‘request’ is received. Your staff must be aware not to delete any personal data relating to that employee after a ‘request’ has been received.
  2. Upon receipt, you should act swiftly, acknowledge receipt and if necessary request an administration fee (maximum of £10) and proof of the employee’s identity. You can also seek further information from the employee to try and narrow the scope, such as a date range or where the data may, in their view, be located. You should identify all information which may be within scope, check if the data is with your service providers and allow time for retrieval.
  3. Whilst it may seem obvious that only data that is ‘personal’ should be identified as being potentially within scope, this can be tricky to identify where the employee is not actually named. Data is considered ’personal’ where the employee is identifiable from that data or from data, together with other information that you hold.
  4. Your search should extend to any personal data that you hold in either electronic form or in a ‘relevant filing system’. This can include any correspondence, HR file, notes in the manager’s notes, CCTV and voice recordings.
  5. Beware of inadvertently disclosing data belonging to another identifiable individual, a third party. If necessary, you should consider seeking the consent of the third party prior to disclosure. This is a particularly tricky area as you will need to balance the employee’s interest in the disclosure with any duty of confidentiality that you may owe to a third party.

Summary: In view of the type of information that may need to be disclosed, it would be wise to have a policy on document management and retention, and to train your staff so that they are aware of when to create personal data, how to manage it and how long to keep it for.

In Part 2 we will highlight key points on responding to the ‘request’ – what you should disclose and what you can withhold under the various exemptions provided in the DPA…

Insights.

Need to Make/Update your Will?
30th March, 2020

In these difficult times individuals are recognising the importance of either making or updating their Wills, particularly those who are self-isolating.

Coronavirus Job Retention Scheme and Furlough Leave
27th March, 2020

The Government announced on 20 March 2020 that the state will subsidise employers to pay 80% of the wages of staff who are placed on “furlough” leave but remain employed,…

A note from Neale Andrews
27th March, 2020

These are perhaps some of the most challenging circumstances we have faced as a firm in our 60 year history. We are doing absolutely everything we can to protect our…

Combatting Covid-19 for Commercial Tenants
26th March, 2020

The pandemic is causing huge socioeconomic repercussions and the UK commercial property sector is not immune. So what is going to happen to property-overheads or running costs of commercial premises…