THE emerging practice of employees and ex-employees subjecting current and former employers to data subject access requests is viewed by many employers as a daunting and oppressive experience. An experience that is amplified frequently by the knowledge the request is being made in order to acquire ammunition to support claims against the employer.

Employees, or ‘data subjects’ in this context, have a right to make a request for their data mainly for the purpose of establishing the accuracy of any data held, or to determine whether the data has been lawfully processed. As a general rule, the employer or ‘data controller’ is obliged to provide, in a logical form, any personal data of which the requester is the subject.

There are exclusions and exemptions available to an employer.

Receipt of a data subject access request from a current or ex-employee is likely to produce apoplexy in all but the most informed of employer. Responses range from simply ignoring the request in the hope that it will disappear, to making the request the focus of attention in the hope of finding a legitimate way to avoid compliance.

Generally, if an employee considers that the employer has failed to comply with its obligation, claims can be brought before the court with a view to forcing compliance and/or seeking compensation for any damage or distress caused by the employer’s failure to comply. In addition, a claim can be made to the Information Commissioner’s Office, which has extensive powers of enforcement.

This raises the question – when can an employer lawfully refuse to comply with a request, or at the very least effectively manage the extent of compliance? It now seems fairly settled that the employee’s motive in making the request will not necessarily provide a reason to the employer for refusing the request. However, it is sensible at the outset for an employer to determine whether the request is for documents or data. If the request is for documents in order to support a claim, an employer may reasonably refuse the request. Alternatively, if the request is for data, an employer may reasonably refuse the request on the basis that it requires a disproportionate amount of effort and that there are other means available to the employee to get the information sought.

From an employer’s perspective, the effort and cost involved in finding and supplying the information should be balanced against the benefit to the employee in acquiring the data.

One thing is certain, it is unlikely in the foreseeable future that the practice of making subject access requests will reduce or cease. Employers should, therefore, have a defined process, plan of action and a designated data controller to deal with requests. Employers should:

* have an effective framework for searching, reviewing and identifying personal data;

* ensure that any commercially sensitive information is redacted and does not infringe the rights of other data subjects;

* evaluate the costs in management time and external professional advisors; and

* if the request is to be resisted, document the basis on which that conclusion was reached.

For further information or guidance, contact a member of the team at FG Solicitors on 01604 871143 or info@fgsolicitors.co.uk