The Information Commissioner’s Office has recently published some new guidance for employers on how to respond to subject access requests. This was introduced following a number of organisations confirming they misunderstood the correct way to deal with such requests.
Under the UK’s data protection regulations anyone possesses the right to submit a subject access request under s.7 of the Data Protection Act 1998. This enables them to obtain a copy of any personal information that an organisation holds about them. This information may also include where/ how this information was initially obtained and what the organisation is doing with that data.
Employees have the right to request information from their former employee or indeed their current employer. This may include sickness notes and/or sickness records or their personnel files.
Employers must be aware that they are to respond to these requests within one month however, this may be extended to two months, if the request is particularly complicated. If an employer does not respond they may be faced with a fine or further legal action. In addition, employers should note that they are not required to respond to the request in any legal form nor does the request have to made in this way either. An individual may submit a subject access request in a relatively informal manner such as through a social networking platform.
Employers should be prepared to deal with these requests efficiently and in a timely manner once received. If you require advice, please contact a member of our employment team here.