Subject Access Request

  1. INTRODUCTION

What is this document? This document sets out our policy and procedure for handling data subject rights requests; in particular, subject access requests. It should be read in conjunction with our – or your employer’s (if applicable) – privacy policy. You should read this document carefully, to ensure you understand your rights, their limitations, and what you can expect from us.

  1. YOUR RIGHT TO ACCESS DATA

Your right of access. Article 15 of the UK GDPR gives individuals the right to obtain copies of personal data processed about them by a company.

Important limitations to this right. The UK GDPR only gives you the right to access copies of information relating to yourself, not information relating to others. To the extent that any records on our systems include information relating to other individuals, or to business-confidential matters (e.g., finances etc), this information will typically be redacted or removed from the resulting disclosure made to you.

What format will I receive the information in? Typically, we will provide documents to you in common machine-readable formats (such as PDF, Excel, Word, .csv, etc). If you wish to receive information in another format, you may request this, but we reserve our right to deny any such request if it would result in a disproportionate cost in our responding.

  1. WHAT IS PERSONAL DATA?

What is classed as personal data? Under the UK GDPR, ‘personal data’ is any information which relates to an identifiable living individual in the UK. This could include things like name, contact information, salary information, and HR records.

What isn’t classed as personal data? ‘Personal data’ wouldn’t include any information which is not capable of identifying you, such as data collected or stored on an anonymised basis; for example, survey feedback.

  1. HHOW TO MAKE A REQUEST FOR ACCESS

You can make your request by any means; however, in order to ensure that we are able to properly scope and complete your request in a timely manner, we ask that, where possible, you make your request by emailing us at [email protected], setting out exactly what data you would like copies of.

  1. WHAT YOU MAY NEED TO PROVIDE

A suitable form of ID: We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Clarifications to your request: From time to time, where the scope of your request is unclear, we may also ask for some clarification to enable us to search our systems for the right information.

  1. TIMEFRAMES FOR A RESPONSE

We try to respond to all legitimate requests within one calendar month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

  1. WHEN WE MIGHT REFUSE A REQUEST

The right of access under the UK GDPR is not absolute. In certain circumstances, we may refuse to act upon your request.

If it is unfounded. If you make a request which clearly has an ulterior motive (e.g., to seek a financial benefit from us, or to purposefully cause disruption), we may legitimately refuse to process the request.

If it is excessive. If we reasonably consider that your request is excessive (e.g., you have made requests in quick succession), then we may also legitimately refuse to process the request.

If we cannot be sure of who you are. Under the UK GDPR, we are bound to only disclose data to individuals where we are certain of their identity. If we cannot verify your identity when you make a request to us, then we may refuse to process the request.

  1. YOUR OTHER RIGHTS

In addition to the right to access copies of your personal data, you may also have other rights under the UK GDPR. These include: • The right to ask that we correct your data where you believe it is inaccurate.
• The right to ask that we erase or delete data about you where we have no reason to retain it.
• The right to object to our use of your data where you believe we don’t have a legitimate interest to do so.
• The right to request that we restrict the ways in which we use your data.
• The right to request that we transfer your data to a third-party.
• The right to withdraw your consent to specific uses of your data (e.g., marketing emails).

If you wish to exercise any of the rights set out above, please contact us using the details set out in section 4 above. You can also find information about these rights in our Privacy Policy.

  1. COMPLAINTS

In addition to your rights listed above, you also have the right to raise a complaint if you believe that a request has not been handled correctly.

You can make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data privacy issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

HR support services specialising in employment law for businesses and their people

Get in touch

This is just the tip of the iceberg!

For more information on our services, please fill in the form below and a member of our team will get back to you