Subject access requests from employees can often be difficult to spot and often come at times when organisations are occupied with other pressing issues. This is frequently the case where a request for information is made in the context of an employee grievance or disciplinary matter.

The fact that a subject access request does not need to be in any standard form or even refer to personal data can make them tricky to identify, particularly if there is an existing relationship between the parties (employer and employee) and information is regularly shared. That can give rise to problems particularly where external contractors or businesses are used to provide services to your organisation  – for example, what, if any, obligations does an external HR consultant have to respond to a request for information from your employee?

The obligations of an external contractor to respond to a request for information from your employee will largely be determined by the role that external contractor plays and whether it is a “controller” or “processor” for the purposes of data protection law.

In very basic terms, any subject access request should be dealt with by the data controller and not the processor. It is therefore important that organisations know whether they are a processor and must pass the request to the controller, or whether they are the controller and must respond to the request within the prescribed timescales.

There is a common misconception that external contractors will be processors by virtue of the fact that they are being engaged to provide a service to another party – for example, if you engage an external HR professional to carry out an investigation into a grievance. However, external contractors are not processors by default and consideration must be given to how the personal data is processed and the roles of the parties involved. A controller will typically determine the “purposes and means of the processing of personal data”. In effect, the more autonomy an external contractor has as to what personal data is collected and how it is used, the more likely the external contractor will be a controller.

If your external contractor is a data controller, any response to the employee subject access request should come from the contractor. If the external contractor is a data processor, all subject access requests must be passed to you to respond.

When dealing with requests for data in this context, consideration must also be given to whether the request is, in fact, a subject access request – a general request for information about policies or procedures will not constitute a subject access request. A requester can, of course, also only gain access to their own personal data. This can be complicated when requesters wish to uncover details of what other individuals may have said about them and, in particular, where access to third party statements is requested. Where statements are sought, steps must be taken to remove any third party data and in certain cases it may not be reasonable to provide third party statements at all.

Where information is redacted or withheld, it can then raise questions as to when statements may be disclosed in unredacted form and whether they be may shared with anyone other than the maker of the statement. For example, can a statement be produced at employment tribunal proceedings or provided to an industry regulator in unredacted form? These issues can often be a source of conflict, where one person has received a statement in redacted form in response to their SAR but an unredacted copy may have been provided to another party.

It is important to remember, however, that even in terms of data protection legislation, different rules apply to the data which may be disclosed in response to a subject access request and to the data which may be voluntarily shared with a third party – in the former case a  data subject is entitled only to their own personal data, while in the latter any personal data may be shared if there is a lawful basis for doing in terms of UK GDPR.

BTO’s Employment Law and Data Protection teams are on hand to guide you through this process.

This update contains general information only and does not constitute legal or other professional advice.

STAY INFORMED