Is it Really Personal? How to protect your business when receiving a ‘request’
19th November 2015
Your employee has the right to request certain data that you may hold which relates to them, under the Data Protection Act 1998 (“DPA”). Embarrassingly for some, this may include notes and emails that you may never have intended for them to see! Typically ‘requests’ are made when the parties are in dispute or litigation is contemplated. An employee may request their data in order to assist with their case or for tactical reasons to encourage settlement.
- Any request received must be in writing (it can be by email) but it does not have to say it is a ‘subject access request’ and also does not have to be made by the employee personally. It can be made (with their authority) by a third party on their behalf i.e. their solicitor or parent. You should ensure you have trained individuals within the business to recognise the ‘request’ as a subject access request, as there is a statutory 40 day time limit in which to provide the data once the ‘request’ is received. Your staff must be aware not to delete any personal data relating to that employee after a ‘request’ has been received.
- Upon receipt, you should act swiftly, acknowledge receipt and if necessary request an administration fee (maximum of £10) and proof of the employee’s identity. You can also seek further information from the employee to try and narrow the scope, such as a date range or where the data may, in their view, be located. You should identify all information which may be within scope, check if the data is with your service providers and allow time for retrieval.
- Whilst it may seem obvious that only data that is ‘personal’ should be identified as being potentially within scope, this can be tricky to identify where the employee is not actually named. Data is considered ’personal’ where the employee is identifiable from that data or from data, together with other information that you hold.
- Your search should extend to any personal data that you hold in either electronic form or in a ‘relevant filing system’. This can include any correspondence, HR file, notes in the manager’s notes, CCTV and voice recordings.
- Beware of inadvertently disclosing data belonging to another identifiable individual, a third party. If necessary, you should consider seeking the consent of the third party prior to disclosure. This is a particularly tricky area as you will need to balance the employee’s interest in the disclosure with any duty of confidentiality that you may owe to a third party.
Summary: In view of the type of information that may need to be disclosed, it would be wise to have a policy on document management and retention, and to train your staff so that they are aware of when to create personal data, how to manage it and how long to keep it for.
In Part 2 we will highlight key points on responding to the ‘request’ – what you should disclose and what you can withhold under the various exemptions provided in the DPA…
The contents of this newsletter are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this newsletter. © Mundays LLP 2015.