Under S7 of the DPA, individuals have the right to know what personal data an organisation holds about them, information as to why the information is held, and details as to how it has been disclosed. They are entitled to receive in intelligible form information that is personal data and details as to the source of that information. 'Personal data’ means data relating to a living individual or from which that individual can be identified - either on its own or with other information likely to come into the possession of the data controller. 'Personal data' can be data held in electronic form or in a 'relevant filing system'.
Whilst the aims of the DPA are entirely laudable it has had unintended consequences in the context of employment relationships where there is a perception amongst employers that the rights under the DPA are being abused by employees who exercise their rights under the DPA in order to ‘fish’ for information to support a tribunal claim or to place the employer under a significant financial and administrative burden.
Making A Subject Access Request
In order to get the information, an individual need only make a subject access request (SAR). To make an SAR an employee simply needs to:
- Make a request in writing. Email would suffice.
- If requested, verify their identity e.g. by providing a certified copy of their passport or other ID
- Pay the prescribed fee of £10
An employer then has 40 days in which to respond to an SAR. However, if the employee concerned has previously made a similar request, the employer will only be obliged to respond if a reasonable interval of time has elapsed.
High Court case of Ezsias v Welsh Ministers  All ER 65 (see further below) stated that upon receipt of a request for data, a data controller must take reasonable and proportionate steps to identify and disclose the data he is bound to disclose.
It is not uncommon for employers when faced with a subject access request to respond by simply providing the employee with copies of all documents and emails held by it, of which the employee is the subject, without applying thought to whether or not the information provided actually amounts to personal data or whether it needs to be disclosed.
Firstly, there are exceptions to the disclosure requirements. The following documents/information need not be disclosed:
- information which, if disclosed, would also reveal information about another identifiable individual
- confidential references given by the employer for the purpose (among others) of employment
- data processed for the purposes of management planning or forecasting where disclosure would prejudice the conduct of that business (e.g. proposed redundancy plans)
- records of the employer's intentions in relation to negotiations with an employee if disclosure would be likely to prejudice those negotiations (e.g. bonuses)
- Personal data that is subject to legal professional privilege such as data contained in emails passing between an employer and their solicitor
Secondly, the rights under the DPA have been restrictively interpreted. In Durant v Financial Services Authority  EWCA Civ 1746 the Court held that:
- not all information retrieved from a computer against an individual’s name was personal data and that the information needed to be significantly biographical and/or such that the individual was the focus of attention; and
- that the data had to be part of a structured filing system to ensure that the information was readily accessible.
Whilst the courts have since moved away from the restrictive interpretation of the meaning of ‘personal data’ the guidance in Durant regarding a manual remains good. A physical HR file might not amount to a ‘relevant filing system’ if the information stored within it were merely stored in chronological order rather than divided into subject areas, such as disciplinary records, sickness records holiday leave etc, and as such need not be disclosed.
Upon receipt of a request verify the identity of the individual, if necessary, to avoid making disclosures to someone who is not entitled to the information.
- Provide the employee with a written acknowledgement of receipt of the subject access request and state that it will be dealt with within the 40 day limit.
- Request a fee of up to £10 if it has not been provided.
- Seek any clarification in relation to the request that is needed.
- Identify possible sources of data and the most efficient way of collating the data. These could be emails (consider word searches), word processed documents, manual records, CCTV records etc.
- Appoint a person to oversee:
- collation of relevant data ; and
- redacting third party data if appropriate
- Consider whether any data is exempt from disclosure. If it is remove it.
- Provide a written response.
Given that an employee can make a subject access request at any time and may do so on more than one occasion and for any reason, employers ought to be guarded in comments they make regarding their employees in documents and emails. This is especially so in the context of disciplinary and grievance issues.