UK data protection law will change in May 2018 when the EU's General Data Protection Regulation (GDPR) comes into force.
In this fifth article in our series on the implications for employers we look at the forthcoming changes to individual rights including subject access requests (SARs).
The right to access (known as subject access requests)
The GDPR recital which explains the principles behind the relevant provision of the new Regulation states that individuals should have the right to access personal data, to exercise that right easily and at reasonable intervals, so as to be aware of and verify the lawfulness of the processing.
Processing in this context includes collecting, recording, storing, consulting, disclosing, erasing and destroying.
Currently workers have a right to be told whether any personal data about them is being processed by their employer, what that data consists of, to be given a copy of that information, to know why it is processed and who the employer discloses it to. They have a right to know the source of the data and to know the reasoning behind any automated decisions made about them. Personal data must be accurate. Where it is inaccurate, the worker's remedy is to apply to the court for an order to rectify, block, erase or destroy the inaccurate information.
Under the GDPR the right is similar to the current regime but slightly expanded: workers have a right to be told whether any personal data about them is being processed by their employer and to be given access to the data. They also have the right to be told why it is processed, what categories of data are processed, who the employer discloses the data to, how long the employer anticipates storing it (or how that is determined), any information as to its source (if not the worker), the existence of automated decision making, and, if the data is sent out of the EU, to be told what appropriate safeguards are in place.
They also have the right to be informed of the existence of the rights to request rectification, erasure or restriction of processing, to object to processing and to complain to the ICO. These rights are explained in more detail below.
Where the worker makes the request by electronic means, the information must be provided by electronic means, unless otherwise requested.
It's worth noting as well that these whole concepts apply to all individuals who the employer when acting as a controller processes personal data about, not just employees.
Right to request rectification
This is a right to obtain the rectification of personal data or to have incomplete data completed, for example by the provision of a supplementary statement. The employer must inform all third parties to whom it has disclosed the information of the rectification (unless this is impossible or involves disproportionate effort) and let the worker know who those recipients are if requested.
Right to request erasure
The Regulation introduces the concept of a 'right to be forgotten' (although it does currently exist, it is limited to circumstances where the processing causes damage or distress). Workers will have a right to have data erased and no longer processed where it is no longer a needed for the purpose for which it was gathered or consent to processing is withdrawn. There are some circumstances where the employer can refuse to comply such as in connection with legal proceedings or where they are required to retain the information by law. If the employer has made the data public it must take reasonable steps, including technical measures, to inform those processing it to erase any copies or links to it they have.
Right to restrict processing
Where this right is exercised the employer can only process information, except for storing it, with the worker's consent, in connection with legal claims or to protect of the rights of others.
This right only exists in certain circumstances:
- where the employee contests the accuracy of information, for the period it takes the employer to verify its accuracy
- where the processing is unlawful and the employee requests restriction rather than erasure
- where the employer no longer needs the information but it is required by the worker in connection with legal proceedings
- where the employee has objected to the processing, pending verification of whether the employer or a third party has an overriding legitimate interest.
Where processing has been restricted, the worker must be informed before the restriction is lifted.
Right to object
This is a right to object, on grounds relating to the worker's particular situation, to processing based on one of the following:
- the processing is necessary for a task carried out in the public interest
- processing in the exercise of official authority
- the processing is necessary for the pursuance of the legitimate interests of the employer or a third party which are not overridden by the worker's interests
If an objection is received the employer must stop processing unless it can demonstrate compelling legitimate grounds for processing overriding the interests, rights and freedoms of the worker or that it is in connection with legal proceedings.
There are also rights to object to:
- data processing for direct marketing purposes - employer must stop processing
- data processing for statistical purposes - must stop unless in public interest
Time limit for responding.
This will change from the current 40 days to an obligation to respond to requests for access, rectification, erasure, restriction and objections without undue delay and at the latest within one month. An employer will be able to extend the period of compliance by a further two months where requests are complex or numerous. The employer must inform the worker of any such extension within one month, together with the reasons for the delay. If the employer does not take action on the request of the worker, it must inform the worker without delay and at the latest within one month of receipt of the request of the reasons for not taking action and the possibility of lodging a complaint with the ICO and seeking a judicial remedy.
Reasons for not taking action include: the request is manifestly unfounded or excessive or repetitive or for the specific reasons given above.
The current option to charge a fee of up to £10 for responding to each request will no longer apply, so practically more requests will be valid. Information must be provided free of charge unless the request is manifestly unfounded or excessive or additional copies are requested. However, any such fee must be reasonable based on administrative costs.
Preparing for the GDPR
Employers need to be ready for the new regime as soon as it comes into force in May 2018 and our advice is to start planning now. This will involve a review of policies and procedures and training and guidance to ensure that all employees are able to recognise a request for one of these rights to be exercising it, staff handling it are aware of the changes, and, if they are considering refusing a request, the legal basis on which they may do so. You may wish to designate a specific person or team to deal with requests. You might consider making data available for staff to access themselves securely on-line to reduce the amount of requests you receive. The obligations extend to more than these, so if we can help, do get in touch with us.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.