Data protection and privacy issues are constantly in the headlines and it can be difficult to keep up to date with the legal position on our rights as individuals to request data and our obligations as businesses when handling data.
Increasingly, individuals are utilising the Data Protection Act 1998 (the "DPA") and sending Data Subject Access Request letters (DSAR's) to their employers to obtain copies of the information that is held about them.
There are strict rules that apply to organisations who receive a DSAR and if an organisation fails to respond to a DSAR correctly, the Information Commissioner's Office (ICO) has authority to issue financial penalties against the organisation in question if they consider there has been any breach of the legislation.
Under the DPA, an organisation is required to take reasonable steps to search for and provide an employee with copies of their personal data. An organisation must provide a response within 40 calendar days of receiving it and the individual is entitled to be:
told if any personal data is being held about them;
given a description of the data;
told for what purposes the data is processed;
told the recipients or the classes of recipients to whom the data may have been disclosed and information as to the sources of data.
However before releasing any confidential information, businesses should ensure that they:
Have received a valid request (request in writing - includes email);
Are satisfied of the identity of the individual. If they are not satisfied, request evidence of their identity;
Have received a fee of £10;
Know what information they are obliged to provide to the individual and what exemptions may apply.
Given the complex nature of the requirements under the DPA, if you receive a DSAR letter and you do not know how to respond to it, please contact us for further advice.
Pam Loch, Managing Partner of niche employment law practice, Loch Associates Employment Lawyers and Managing Director of HR Advise Me Limited.