Tuesday, July 25th, 2017
The General Data Protection Regulation will bring in a range of new rights allowing employees to access information held on them by employers.
On 28 May 2018, the data protection regime across the EU (including the UK) will change. The General Data Protection Regulation (GDPR) will replace the provisions of the Data Protection Act 1998 (DPA).
The GDPR preserves the rights provided under the current law and provides new rights and enhanced protection for individuals, who are known as “data subjects”. Failure to comply with the provisions of the GDPR may lead to greatly increased monetary sanctions, so it is critical that any Company processing personal data are aware of the changes.
New data subject rights include the right to erasure, requiring a Company to delete the personal data it holds and to cease processing it any further.
This data could include personnel records, metadata on computers and servers, CCTV, call logs, electronic premises access records, health and safety reports and any other electronic records or filing systems used within the Company.
Individuals will have a right to rectification of personal data being processed inaccurately by a Company, and the right to data portability, essentially giving an individual the ability to have a copy of their personal data in a commonly used and a machine-readable format.
Perhaps the most prominent and commonly used right under the DPA is subject access, and this is changing under the GDPR. Companies need to be aware of the changes and how to prepare for subject access requests under GDPR.
Subject access under the GDPR
The GDPR defines personal data as “any information relating to a data subject” and a data subject as an identified or identifiable (whether directly or indirectly) living person to whom personal data relates. Companies must consider how to identify individuals, particularly employees.
Names clearly identify a person, but so may an email address, payroll number or computer login details. Careful consideration will need to be given to any other aspects of a Company’s operation that uses alternative designations (through coding or shorthand) to identify an individual.
The Information Commissioner’s Office (ICO) has published an overview of the GDPR. The overview comments that the “GDPR will apply in the UK from 25 May 2018”. It also states that: “The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
The GDPR applies to:
The processing of personal data by an establishment within the EU, whether or not the processing takes place within the EU.
The processing of personal data of subjects within the EU by an establishment based outside the EU, where the processing activities relate to the offering of goods or services to, or the monitoring of, subjects within the EU.
The GDPR allows regulators to impose significantly higher maximum fines than apply under existing provisions. Supervisory authorities will be empowered to impose a fine of up to €20 million or up to 4% of a Company’s annual worldwide turnover, whichever is the greater (the ICO’s existing powers permit it to impose fines of up to £500,000).
The ICO has published “Preparing for the General Data Protection Regulation: 12 steps to take now” and a code of practice on communicating privacy information to individuals.
The GDPR sets out the purpose of a subject access request, something that is not explicit in the current regime. The right of access is stated to enable an individual to be aware of, and to verify, the lawfulness of the processing of their personal data.
Companies must use “reasonable means” to identify those making a subject access request. For an employee, this should be sufficiently easy given the nature of the relationship.
When requesters are not employees, Companies should establish a policy that sets out the identification requirements needed to be sure that the requester is authenticated. Consider asking for passport/driving licence and recent utility bills. This data should only be processed to verify the identity of a requester. It should be processed no further once that purpose has been satisfied.
Under the DPA a fee of up to £10 can be charged for responding to a request. Helpfully, the time for complying with a request does not commence until payment has been made. This will no longer be the case under the GDPR as the right to charge a fee as standard is abolished.
Happily, though, Companies will be able to charge a “reasonable fee” when complying with requests for additional copies of data previously provided. The Information Commissioner’s Office states that the fee must be based on the administrative cost of providing the further copies. To clarify, this would not enable a Company to charge for a subsequent subject access request that sought data which had not been previously requested or provided.
Another substantial change to the subject access regime will be the time allowed for compliance. Less time will be available to Companies to comply with a subject access request. The current regime allows for 40 calendar days, but the GDPR will reduce this to one month.
Companies may, however, be able to seek an extension of up to a maximum of two further months in cases of complex or numerous requests from an individual. If a Company seeks an extension, it must notify the requester within one month of receiving the original request and set out why the extension is necessary. Any explanation will need to be sufficiently detailed to justify the request.
Companies should exercise their right, where legitimate, to ask the requester to specify the information relating to the request.
The request will not pause the time for complying, but it may be of use to those Companies that process substantial amounts of personal data, bringing the search into focus.
Finally, Companies should keep in mind whether a request is manifestly unfounded or excessive. This is a new avenue for Companies receiving disproportionate requests. Companies may be able to refuse to respond to such requests, or consider an administrative charge if the information is something that has been provided previously. Deciding whether a request is “manifestly unfounded or excessive” will turn on individual facts and Companies should seek legal advice before deciding.