It has been the case since 1998 that employees could make a written request for copies or sight of the content of their personnel files and that employers were obliged to produce the file subject to a fee. Such “Subject Access Requests” usually led to a file being downloaded from an HR system or a file being removed from a drawer and potentially some redaction taking place to ensure the confidentiality of other people named in the file.
GDPR has impacted that process.
It is, of course, no longer possible to charge a fee for showing an individual the content of their personnel file. And, importantly, the deadline for responding to the request has been shortened to an obligation to provide the information “without undue delay and in any event within 30 days”. The 30 days is extendable but the burning question is what factors make extension reasonable?
How much information is required?
Let us assume that Joe Bloggs has requested a copy of every mention of him. That will, of course, include his personnel file but will also include any communications in which he is mentioned. There may be many emails, unstructured data and minutes of meetings in which Mr. Bloggs has featured.
What search criteria will you use to search your IT systems? ‘Joe’, ‘Joe Bloggs’, ‘JB’, ‘Bloggs’ and there may be many more. Once you have undertaken your search you will need to carefully redact the documents so as to exclude personal information about other members of your staff and perhaps customers. Such a mammoth task might require a reasonable extension of the time you have to provide the documentation.
Before you set out on this potentially herculean task it would be a good idea to agree with Mr. Bloggs what process he would like you to use and perhaps some detail about what he is looking for. Manage his expectations with regard to the time it may take. Feedback to him on a regular basis – this is what we have found to date, but there may be more to come.
GDPR is in its infancy and there is no case law to help at the moment but it is received wisdom that employees are only entitled to information not necessarily copies of the documents, a view that has yet to be tested in the Courts or with the Information Commissioner. You may want to consider copying and pasting the relevant passages from document into a single word document.
What is a reasonable Subject Access Request?
Finally, there is some evidence that groups of employees are together requesting information. Imagine the above scenario but with six individuals in concert, all asking for everything in which they are mentioned. Might this be a ‘manifestly unfounded or excessive request’ to which you can refuse or impose a reasonable fee? And, if so, what is a reasonable fee? It has been suggested that a reasonable fee might be pro rata of the salary of the individual tasked with undertaking the task. But doubtless in time the answer to these questions will become apparent. Watch this space!