Many employment law cases now begin with a Subject Access Request (SAR).
The reason is that it’s a useful way for an employee or former employee to gain information for their case.
Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely complicated.
Get it right, and there can be a great benefit to employment lawyers and their clients, whether they’re individuals or businesses and organisations.
Get it wrong, and there could be missed opportunities or problems further down the line.
Here are the 5 basic things every employment lawyer should know…
1. Verifying the identity of the person making a Subject Access Request, and the authority of any third-party agent, is vital.
In GDPR, SARs can be made by the person themselves or by a third party.
You must verify the identity of any subjects making their own request.
If a third party is making the request, you must ask for evidence of the third person’s authority to act for the subject and obtain evidence of the identity of the data subject.
Without this verification, you might put personal data in the wrong person’s hands.
2. People making an SAR are not just entitled to all their data, they are entitled to know where it has been shared and for what purpose.
For example, one employer would perhaps share information about an employee just with HMRC and the pension provider, while others may also share information with businesses which provide wellbeing schemes or offers for employees, such as money-off vouchers for eye care.
Your corporate clients need to ensure they can provide this information when replying to an access request.
3. SARs must be complied with in a month, or three months if the request is complex and provided you have told the individual making the request you will need more time.
So, any clients who receive an SAR need to act swiftly.
4. Organisations cannot refuse to deal with an SAR or charge for it unless it is “manifestly unfounded or excessive”. What does this mean? The ICO says a request may be seen as manifestly unfounded if the person has no clear intention to access the information or there’s malicious intent and the SAR is being used to disrupt and harass an organisation.
This could be because that’s stated in the request or communications from the subject, there are unsubstantiated accusations made by them, they are targeting a fellow employee against whom they hold a grudge, or they frequently send different requests to cause disruption. Each situation must be considered individually. Read more here.
5. There is no blanket ban on releasing third-party data when replying to an SAR. Despite the way many people interpret GDPR, the situation is not straightforward and there ARE situations where third-party information would be disclosed in an SAR.
A balancing test must be applied to each individual situation. A precedent for this was set In the case of Rudd v Bridle, where a business which received an SAR was told by a court it must not apply a blanket policy of withholding the identities of other individuals in the response. It was instructed to assess each individual issue.
GDPR says any data released “shall not adversely affect the rights and freedoms of others.” What about situations where that information does not adversely affect the third party? You can read more on this subject in our in-depth blog.
Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email firstname.lastname@example.org