The Paris Smith Employment Podcast is a regular podcast that discusses all things related to employment law. The podcast is hosted by Charlotte Farrell and Ryan Mitchell, both are lawyers at Paris Smith LLP. In today's episode, they discuss subject access requests and the key things businesses need to know about them. The GDPR was introduced in 2018 and has led to individuals becoming much more aware of their rights regarding their personal data. As a result, Paris Smith has seen more people making subject access requests.
You can find out more info here: https://parissmith.co.uk/your-business/commercial-law/data-protection-and-gdpr/
01:00:00 - The right to access personal data held by organisations is a legal right given to individuals.
02:00:00 - Personal data is any information that relates to an identified or identifiable living individual.
06:30:00 - Anonymised data can be excluded from a subject access request.
07:00:00 - Subject access requests are being used more often as a way to find information for employment tribunal claims.
07:54:00 - The main use for subject access requests in a commercial setting is to upgrade complaints to "super complaints."
09:00:00 - The main points to consider when dealing with a subject access request are verifying the requester's identity, diarising key dates, and trying to locate the requested information.
11:17:00 - Subject access requests are usually free, except for when they are excessive. If someone refuses to pay or withdraws their request, businesses may have trouble recovering costs.
13:38:00 - The business doesn't have to send everything to the individual who they find. Someone needs to go through it and identify any documents which don't need to be disclosed.
15:00:00 - Organisations need to include a cover letter with personal data when sending it to someone in response to a subject access request.
16:20:00 - Employees use subject access requests to check their personal data is being processed correctly and tactically.
18:16:00 - The government is proposing to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee.
19:19:00 - The word vexatious could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer.
19:50:00 - The top tip for dealing with subject access requests is to have a written procedure and use systems which allow for personal data to be easily searched, reviewed and extracted.
21:07:00 - HR and line managers should train all staff on the GDPR and data protection issues, including subject access requests. Staff should be aware of what they can and cannot do with personal information. Deleted emails are still searchable.
23:25:00 - The risks of getting subject access requests wrong include complaints to the Information Commissioner's Office and investigations which can lead to instructions on how to correct procedures.
