Is it Really Personal? How to protect your business when receiving a ‘request’.

Your employee has the right to request certain data that you may hold which relates to them, under the Data Protection Act 1998 (“DPA”). Embarrassingly for some, this may include notes and emails that you may never have intended for them to see! Typically ‘requests’ are made when the parties are in dispute or litigation is contemplated. An employee may request their data in order to assist with their case or for tactical reasons to encourage settlement.

  1. Any request received must be in writing (it can be by email) but it does not have to say it is a ‘subject access request’ and also does not have to be made by the employee personally. It can be made (with their authority) by a third party on their behalf i.e. their solicitor or parent. You should ensure you have trained individuals within the business to recognise the ‘request’ as a subject access request, as there is a statutory 40 day time limit in which to provide the data once the ‘request’ is received. Your staff must be aware not to delete any personal data relating to that employee after a ‘request’ has been received.
  2. Upon receipt, you should act swiftly, acknowledge receipt and if necessary request an administration fee (maximum of £10) and proof of the employee’s identity. You can also seek further information from the employee to try and narrow the scope, such as a date range or where the data may, in their view, be located. You should identify all information which may be within scope, check if the data is with your service providers and allow time for retrieval.
  3. Whilst it may seem obvious that only data that is ‘personal’ should be identified as being potentially within scope, this can be tricky to identify where the employee is not actually named. Data is considered ’personal’ where the employee is identifiable from that data or from data, together with other information that you hold.
  4. Your search should extend to any personal data that you hold in either electronic form or in a ‘relevant filing system’. This can include any correspondence, HR file, notes in the manager’s notes, CCTV and voice recordings.
  5. Beware of inadvertently disclosing data belonging to another identifiable individual, a third party. If necessary, you should consider seeking the consent of the third party prior to disclosure. This is a particularly tricky area as you will need to balance the employee’s interest in the disclosure with any duty of confidentiality that you may owe to a third party.

Summary: In view of the type of information that may need to be disclosed, it would be wise to have a policy on document management and retention, and to train your staff so that they are aware of when to create personal data, how to manage it and how long to keep it for.

In Part 2 we will highlight key points on responding to the ‘request’ – what you should disclose and what you can withhold under the various exemptions provided in the DPA…

Insights.

Advice for house hunters #SolicitorChat with The Law Society
14th January, 2021

Purchasing a property is likely to be one of the biggest transactions you will make in your life and the process can be complicated. Thomas Healy answered a few questions…

To injunct or not to injunct?
14th January, 2021

The possibility of an immediate costs order on an interlocutory injunction application to enforce restrictive covenants against a former employee, has for some time been a material factor.

Making a Will in 2021 #SolicitorChat with The Law Society
7th January, 2021

2020 produced many unexpected events and Michael Brierley discussed how you can help protect yourself from the unexpected by making a Will with The Law Society and other firms for…

A note from Neale Andrews
5th January, 2021

In line with the latest Government guidance and to ensure the safety of our clients and staff, we are for the greater part operating the firm remotely. However, we have…