GDPR requests for workplace personal data – faster response times now required
An employer must now respond to a request for personal information, known as a data subject access request (DSAR), 'without undue delay' and within at least a month of receiving it.
In some cases, for example particularly complex requests or when one person has made several applications, the response time can be extended to two months but it's important to take advice before relying on this.
These new General Data Protection Regulations replace the time scale for responding to DSARs formerly stipulated by the Data Protection Act 1998.
This had allowed a strict limit of 40 days maximum to respond to the person making the request with no extensions allowed.
What exactly is a DSAR?
A DSAR is a request made by an individual for a copy of all or some of the personal data held about them by their employer.
This could include, for instance, their personnel file, emails between them and other people within a set time frame, CCTV camera footage and their medical records.
Although the main purpose of the legislation is to enable an individual to check that his or her data is processed lawfully in accordance with the Data Protection Act, many employees use requests as fishing exercises prior to legal action.
Extending the response time
Most employers process a huge amount of workforce personal data and the detailed and extremely broad nature of some DSARs can make formulating an adequate response both laborious and complex.
Not only are some employers likely to have to sift through vast amounts of information to find data relating to a particular individual, they will also have to ensure that the privacy of others is protected which could mean redacting large amounts of third person data.
Even so, it can't be assumed that the leg work involved automatically justifies having a two month extension - GDPR stipulates the time limit can only be extended where 'necessary' and employers need to be ready to explain and document why this is the case.
Responding effectively
Employers should aim to:
- Streamline their processes for responding to a DSAR including training staff in how to recognise one - DSARs can be made verbally as well as in writing and the clock starts ticking from the date of receipt;
- Have a clear and immediate plan of the steps to take as soon as a DSAR is received;
- Understand in what circumstances it's permissible to refuse to deal with a DSAR and be able to justify this to the Information Commissioner's Office (ICO) if necessary with detailed records of correspondence;
- Limit the amount of personal data kept on staff to what is strictly necessary and make sure policies around retention and deletion are adhered to in practice.
For help and guidance about this area of the law, please contact Wards Solicitors' Employment team, Business Employment team or Employment Law Specialist Solicitor Julia Beasley directly.