Data Subject Access Requests (DSARs) involving employees can be difficult for even experienced Data Protection Officers (DPOs), in-house lawyers, and HR professionals to deal with. This can be for various reasons such as:
- The volume of data held on employees by the company;
- the various exemptions that might apply; and
- the likely complex background to the request.
Often DSARs come up in the context of a redundancy exercise, a grievance or disciplinary, or employment tribunal litigation. Therefore, the situation may already be fraught without having a DSAR to deal with on top of that.
For the uninitiated, employees (and other data subjects) have certain rights in relation to their own personal data under UK law. Under the United Kingdom General Data Protection Regulation (UK GDPR), one of these rights is to make a DSAR which entitles an employee to confirmation that their data is being processed by their employer, a copy of that data, and certain supplementary information about the data processing.
We have outlined below some of the key questions surrounding DSARs, to help employers understand their obligations when an employee submits a request.