What to do if you get a Data access request

It is now quite common for employees to seek access to any personal data which their employer or ex employer holds on them. It can be an extremely time consuming activity for employers to undertake, especially the longer the employee has worked there.

Quite often these requests will come alongside a claim that the employee has with their employer, for example an unfair dismissal claim. An access request can be a method of obtaining additional information to support a claim.

QUESTION: What is meant by personal data?

ANSWER: Under Section 4 of the Data Protection Acts, 1988 and 2003, individuals have a right to obtain a copy, clearly explained, of any information relating to them, kept in either manual or electronic form. Manual form means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.  Electronic form extends to information contained within emails. It is therefore not only what you hold in an official personnel file or Human Resources system.

QUESTION: How long do I as an employer, have to respond?

ANSWER: You currently have 40 calendar days to respond.  It is important to note that this timeline is due to decrease to 1 month with the introduction of the General Data Protection Regulations (GDPR) in May 2018.

Your 5 Step Guide on “How to Manage a Data Request”:

There are some important first steps when you receive a request:

  1. Ensure the request is received in writing and you can verify the requestors identity.
  2. Check that the relevant administration fee (if your organisation chooses to charge) is paid – up to a maximum of €6.35. The 40-day period commences as soon as it is paid.
  3. Find out the scope of the data that they are seeking in order to avoid making unnecessary searches – is there a particular type of information they are looking for or information during a specific time period?
  4. Respond with something – you may not be able to gather everything that is requested right away however, you should look to send what you can. Responding with some information will show that the organisation has made an effort to fulfil the request.
  5. Once information is gathered it should be fully checked and any personal information relating to others redacted.

 Overall Advice:

Put in place a  ‘Data Protection Policy’ which includes what data relating to employees is retained by the organisation and for how long. Having this policy will ensure that you have thought through your responsibilities as an employer and are clear on what your approach is up front.

Laura Banfield, HR Consultant