Under Section 4 of the Data Protection Acts 1988 and 2003 (the ‘Acts’) an employee is entitled, subject to a number of explicit exemptions, to receive a copy of his or her personal data as held by their employer. It is useful for employers, when approaching subject access requests, to adopt a clear structured process that includes: reviewing the request; collating all relevant personal data; assessing that personal data in light of statutory exemptions; and responding to the request. An employer must respond to a subject access request within 40 days of receipt. The employer’s response should include three files: two files containing all information which will be provided to the employee along with a third file setting out all personal data relating to that employee, including personal data which has been withheld. Also include a letter which informs the employee of their right to complain to the DPC and which also informs the employee of the categories of personal data being processed by the employers, the purposes for such processing and the identities or categories of any recipients to whom the data may be disclosed.
Read more