Senior associate Victoria Eustace, in our Employment Law team, expands on Data Subject Access Requests (DSAR) and how they are made.
This blog forms part of a series of helpful blog articles for employers on the topic of Data Subject Access Requests (DSARs or SARs).
What is a Data Subject Access Request?
A data subject access request (often known as a DSAR or SAR) is a request to receive a copy of personal data held by an organisation, along with certain information in respect of the ‘processing’ of that personal data. Employees have the right to submit DSARs to their employer, or former employer.
DSARs enable employees to understand how and why their employer is using their personal data and to ensure that it is being processed lawfully. DSARs may, however, be deployed tactically by employees who are in dispute with their employer. Whether the request is motivated by a genuine interest in discovering what personal data of theirs is being processed by their employer (or others on its behalf) or is made as a tactical move to try to gain leverage in a potential employment dispute, is generally of no consequence. Subject to certain limited exemptions, the employer must still respond to the request, which can involve significant disruption to a business, taking up time and resources.
Failure to properly respond to a DSAR can result in a complaint to the Information Commissioner’s Office (ICO), who could take enforcement action. Employees may also issue civil proceedings to enforce their rights against their employer/former employer. It is therefore important that employers are aware of their obligations and have an adequate procedure in place to deal with DSARs when they arise.
How is a Data Subject Access Request made?
A DSAR may be made verbally or in writing and can be made to any part of an employer’s organisation, including via social media. There are no formal requirements, and it does not have to state on the face of it that it is a DSAR. As such, employers should ensure that staff are trained to recognise a DSAR to avoid accidental non-compliance.
Employers may establish a procedure through which employees can submit DSARs, including designating the person/team to which DSARs should be submitted and/or creating a standard form to be used. While employers must still accept DSARs made by alternative means, the provision of a preferred method of submission should reduce the risk of DSARs being missed or incorrectly processed.
If it is genuinely not clear whether an employee is making a DSAR or not, confirmation should be sought urgently.
How Should Employers Approach Data Subject Access Requests?
It is essential that DSARs are treated seriously and responded to correctly. DSARs can be difficult for busy employers to manage but the implementation of clear procedures alongside appropriate training and guidance will assist. Employers should also ensure that they regularly review their data processing methods and the relevant provisions in the contracts of employment they issue. Employees should be given clear and concise information regarding how their personal data will be collected and processed (frequently provided in a specific “fair processing” or “privacy” notice).
We will be providing further information on how to respond to DSARs and the applicable deadlines later in our continuing series of blog articles. If you require further information in the meantime, detailed guidance is available via the ICO’s website.
Our Employment Law team can advise on all aspects of Employment Law, including in relation to Data Subject Access Requests (DSARs or SARs).
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.
