Skip to main content
Blockquote icon
Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information

Introduction

Anyone who’s been following the Post Office scandal will now know about the importance of disclosure in litigation – that is, the requirement for each party to a dispute to make sure that it discloses to the other side (and the court) ALL the documents it has that have a bearing on the case, whether they are helpful or harmful to that party’s case.

The disclosure exercise is carried out once a claim has been brought and the litigation is formally underway. But inhouse lawyers will also be familiar with another, earlier stage form of disclosure that employers may be forced to undergo by disgruntled employees, through the tactical use of data protection laws, and the “right of access”.

What is the right of access? The right of access gives people (including clients, customers, suppliers or employees) the right to get a copy of their personal data from the “controller” who holds it.

In the context of employment, this means from their employer. Employers will hold all sorts of data about their employees, so what does this mean?

Risk Umbrella

Recent Posts

3 June 2024

Employment law update

8 May 2024

An introduction to Incoterms

7 May 2024

An introduction to employee ownership

18 April 2024

Wrongful trading and the twilight zone

9 April 2024

Getting your business ready for sale

28 February 2024

About Shareholders’ Agreements

We emphasise the words ‘relating to’, because the information should do more than just identify the individual – it should concern them in some way. Examples of personal data at work would be the individual’s HR files and their payroll detail, but also emails or WhatsApp messages about them that other employees have generated on the company’s IT systems and phones, and even CCTV footage.

Who can send in a data subject access request?

Anyone can send their current or past, or even potential future, employer an access request. It does not even have to be in any particular format.

Why might someone make an access request?

In the context of a live employee dispute – a grievance for example, or a disciplinary process, it can be hugely helpful for the employee to get sight of all the materials the employer has about them far ahead of an actual claim being brought and the subsequent disclosure exercise. A smoking gun email can help the employee secure a good settlement without even needing to bring a claim. Just as with disclosure, everything has to be disclosed no matter how unhelpful, embarrassing or even damaging.

Blockquote icon
Example: Employee X in the customer services team has asked to change her working hours to avoid rush hour commuting, coming in very early and leaving after lunch, to enable her to collect her child from nursery. Her manager has so far refused on the grounds that the team all need to be at work during customer service opening hours, but Employee X doesn’t believe this is the real reason; she and her manager have never got along and she thinks this is an excuse. She emails asking for a copy of all her personal data. The manager sent the HR Manager an email saying; X has never pulled her weight, and if we say no, it may be our chance to get rid of her.
X submits an access request. What should her employer do – does it have to disclose this very unhelpful email? The answer is yes!

What should you do if you receive an access request?

Step 1 Acknowledge receipt of the request. You should comply with the request within a month, unless it is unusually complicated and onerous, so it’s best to reply to the request straightaway and confirm when you received it, and when the clock started ticking.

Step 2 Appoint someone internally to deal with the request. Ideally this should not be the manager with whom the employee has the dispute; an unrelated manager will inspire more trust and confidence in the employee that his/her request is being taken seriously and that the law is being fully complied with.

Step 3 Scope out where within the company this data will be held. It could be in many different places; eg the HR department, the employee’s own department, payroll, security. Collect the data from all possible sources – emails, electronic systems, CCTV images, automated systems such as door entry systems.

Step 4 Resist the temptation to put all the data in a “data dump” of raw data! Recent caselaw makes it clear that it needs to be in an intelligible form – this may mean copies of emails or other documents.

Step 5 Check whether this data includes other employees’ personal data; this is quite possible if not likely. If it does, you should include it if that employee has expressly agreed or it’s reasonable for you to disclose even absent consent.

Step 6 Once you have collected all the data, you will also need a covering email to confirm certain key points to the employee – eg why you process their data, the categories of data you process, how long you store it for.

Step 7  Make sure you keep a copy of your response, and details of how you went about identifying the data and collecting it. This is really important if the employee does not believe that you have disclosed all their personal data, and makes a complaint to the Information Commissioner.

Our advice is to be practical in dealing with an access request. Ask someone who is not involved in the dispute to handle it. These requests are burdensome and time consuming to comply with, but compliance is a legal requirement, and if you don’t comply in full, or if the data subject doesn’t believe you have fully complied, you could be hearing from the Information Commissioner!

Alice Darwall - My Inhouse Lawyer
Written by Alice Darwall
Principal at My Inhouse Lawyer

One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.

Want to know more ? Book a discovery call

How it works

1

You

It starts with a conversation about you.  What you want and the experience you’re looking for

2

Us

We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech

3

Together

We use Workplans to map out the work to be done and when.  We are responsive and transparent

Like to know more? Book a discovery call

Freedom to choose & change

MONTHLY

A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control

FLEX

A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise.  Our Workplans capture scope, timings and budget putting you in control

PROJECT

For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins

Ready to get started? Book a discovery call

How we can help

Help Boxes Desktop
Help Boxes Mobile

Recent Posts

3 June 2024

Employment law update

8 May 2024

An introduction to Incoterms

7 May 2024

An introduction to employee ownership

18 April 2024

Wrongful trading and the twilight zone

9 April 2024

Getting your business ready for sale

28 February 2024

About Shareholders’ Agreements

28 February 2024

Restrictive covenants & beyond

29 January 2024

Data subject access requests

16 January 2024

Getting to know your company books

22 November 2023

How to avoid a dispute

Like what you see? Book a discovery call