An employer must now respond to a request for personal information, known as a data subject access request (DSAR), ‘without undue delay’ and within at least a month of receiving it.
In some cases, for example particularly complex requests or when one person has made several applications, the response time can be extended to two months but it’s important to take advice before relying on this.
These new General Data Protection Regulations replace the time scale for responding to DSARs formerly stipulated by the Data Protection Act 1998.
This had allowed a strict limit of 40 days maximum to respond to the person making the request with no extensions allowed.
What exactly is a DSAR?
A DSAR is a request made by an individual for a copy of all or some of the personal data held about them by their employer.
This could include, for instance, their personnel file, emails between them and other people within a set time frame, CCTV camera footage and their medical records.
Although the main purpose of the legislation is to enable an individual to check that his or her data is processed lawfully in accordance with the Data Protection Act, many employees use requests as fishing exercises prior to legal action.
Extending the response time
Most employers process a huge amount of workforce personal data and the detailed and extremely broad nature of some DSARs can make formulating an adequate response both laborious and complex.
Not only are some employers likely to have to sift through vast amounts of information to find data relating to a particular individual, they will also have to ensure that the privacy of others is protected which could mean redacting large amounts of third person data.
Even so, it can’t be assumed that the leg work involved automatically justifies having a two month extension – GDPR stipulates the time limit can only be extended where ‘necessary’ and employers need to be ready to explain and document why this is the case.
Employers should aim to: