What Is a Subject Access Request?
A Subject Access Request (SAR) is made under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018). [see Subject Access Request letter template]
You have the right to;
-Obtain information from your employer.
-Access your processed personal data, including receiving a copy on request unless providing a copy adversely affects the rights and freedoms of other people.
The SAR is a very powerful tool if you are raising a grievance, defending yourself in disciplinary proceedings, preparing a claim for the Employment Tribunal or any other problems at work for which you need to know what has been written or said about you, and by whom. It is different from a Freedom of Information request (FOI) which is made under the Freedom of Information Act 2000. The Freedom of Information Act gives you the right to information held by those public bodies in England, Wales and Northern Ireland that are answerable to Parliament.
Information That Your Employer Must Provide
Article 15(1) GDPR says that your Employer must provide the information requested together with some additional information. The additional information will be in your employer’s policy and includes;
- The purpose for which your employer is processing your data
- Categories of the personal data being processed
- Who receives or has received your personal data from your employer
- How long your employer keeps personal data, or the criteria used in deciding how long to keep the information
- Information about where your employer got your personal information from if that information was not collected directly from you
- If your employer does cross-border data transfers, information about how data security is safeguarded
- Whether your employer uses automated decision-making and profiling. If so, the auto-decision logic used and what this means for you.
Article 15(3) GDPR says that on receipt of your SAR, your employer must give you a copy of your personal information without charge, but can charge a reasonable fee for additional requests. If you make your request by e-mail then your employer must provide the information in a commonly used electronic format unless you request the information in a different format.
Writing Your Subject Access Request
Use the Subject Access Request letter template to ensure that you make your request accurately in order to obtain the information you need. It is not wise to keep going back when you realise that you have not requested relevant information and the law allows your employer to charge for additional requests and refuse “manifestly unfounded or excessive requests”. To be on the safe side, use this template which is drafted in such a way that it enables you to cover all the categories of information you need for a grievance, disciplinary proceedings or any other problems at work.
You don’t have to give your employer a reason for making a SAR. You can make your SAR in writing or by email or other electronic means. You can also make a verbal request, although this is not a smart move. You must state who you are (include your employee number) and provide a copy of your ID such as your driver’s licence or passport ID page because your employer must ascertain that it is actually you requesting the information. You must specify a date range, subject matter and the people who you believe have sent or received information about you. You don’t have a right to see documents so don’t ask for them, however it may well be that your Employer provides them in any event..
The law says that your employer must provide information about you, and not anyone else. The reality is that information about you may be included in a document (such as an email) which contains information about someone else. This is not a good reason for your employer to refuse to supply information because they can give you a copy of the document with third party names blocked out (redacted).
Time Limit for Your Employer to Respond
Under Section 54 DPA 2018, your employer must provide the information within one month from the date of receipt of your SAR, and not the day after receipt. Your employer can extend the time by up to two months depending on the complexity and number of requests. Your employer must let you know within one month of receiving your SAR that they would like to extend the period, and give you reasons why.
Grounds on Which Your Employer Can Refuse Your Request
Section 53 DPA 2018 provides that if your request is manifestly unfounded or you make excessive requests your employer can refuse your request for information or charge a reasonable fee for the information. In this situation, your employer must give you reasons and let you know your options to complain to the Information Commissioner or apply to the court for redress (Article 12.4 GDPR).
Last Updated: [31/08/2021]