How to make a Data Subject Access Request
If you are thinking about lodging a claim in the Employment Tribunal, or if you are having difficulty obtaining information from your employer about a situation you face at work (like a grievance, issues with your performance, or a flexible working request), a Data Subject Access Request (DSAR) can be a useful, free way to get information, and to put pressure on your employer to comply with your legal rights.
Before making a DSAR, it is best to try to resolve any issue with your employer informally, if possible. Entering into a formal process such as the process around a DSAR can damage your relationship with your employer as they can be lengthy, complex and expensive for an employer to deal with. However, you have a statutory right to be able to access certain data held by your employer, as set out further below.
What is a DSAR?
Article 15 of the EU General Data Protection Regulation (“GDPR”), and the UK General Data Protection Regulations, give “data subjects” (e.g. individuals) the statutory right to know about, access and get copies of certain data that “data controllers” hold about them. This right to information about data includes information held by: your employer/a former employer/a potential employer/a company you provide services to as a worker or self-employed person.
Your employer should have a policy which is available to all staff setting out how it manages data, and confirming your rights as a data subject in relation to how your data is collected, kept and shared.
Broadly speaking, you can make a DSAR to find out what personal information an organisation holds about you, how they are using it, who they are sharing it with, and where they got your data from.
In an employment or workplace context, you may want to make a DSAR to find out more about how you have been treated at work, to the extent that this has been addressed within data about you. For example, your situation at work may have been discussed in emails or meeting notes between your line manager and HR, or there may be important information about your situation contained in documents relating to your pay, your family-related leave request, or notes relating to your appraisal. The information you receive back in answer to your request may help you prove your case, for example as evidence of discrimination or other unlawful treatment.
Making a Data Subject Access Request
Under the GDPR, you can make a Data Subject Access Request orally, or by other electronic means (e.g. an email, a Facebook message or even a tweet!).
It is best to make the request in writing, so that you have a record of exactly what you requested, and when. You could be asked to complete a form, but you cannot be forced to do so. Many organisations have a data policy which will set out who you can make the request to.
We have a template letter which you can use to make a DSAR (see below).
You can find more information on the Information Commissioner’s website about your rights under GDPR, and how you can make a request.
Hints and tips on making a DSAR
- You do not need to give a reason for your request, nor should the data controller ask you why you are making it. However, guidance on requests for employers often notes that employers may be able to resist requests where data subjects are making it in order to cause difficulty for the employer, or as part of a campaign.
- You should tailor the letter to what you would like to receive, thinking about the issue(s) you have had at work, and relevant dates, events, specific issues or individuals who may be involved, who may have created documents/shared data relating to that issue. Examples of data you might want include your personnel/HR record, medical records, benefit records, video footage or photographs, activity logs, correspondence between certain dates and people, or interview notes.
- Think about making the request to expressly include data which uses any identifier which your workplace may use for you other than your first name — for example, a nickname, your initials, role, payroll number, any work ID number, or any other code or signifier used in relation to your role.
- If you would prefer to receive the information as hardcopy documents, make this clear. Otherwise, a response will usually be provided electronically.
- If you have any particular needs in relation to how you receive the information, e.g. large print, make this clear.
- Some information is exempt from being provided. For example:
- Data controllers are not obliged to disclose information to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information. (Article 23(1) GDPR).
- Data controllers do not have to disclose information which is subject to legal professional privilege.
- Confidential information, certain information relating to negotiations, and certain other categories of information are also expressly exempt- see the ICO website for more information.
Conditions for a DSAR – identification and fee, if applied
Data Controllers can ask you to provide evidence to confirm your identity before responding to your request. (A photocopy of your passport or driving licence should do the trick).
There is no fee which means your employer should not charge you to respond to your DSAR. (Article 12(5) GDPR). The Information Commissioner’s Office website states that the information “must be provided free of charge”. However, in exceptional circumstances, employers can charge a “reasonable fee” based on administrative costs. This might be relevant if you ask for extra copies of the information, if the request is particularly complex, or if you have already made the same request recently. If a fee is requested, in order for it to be appropriate, it should take into account the importance of the right of access as a fundamental right, and it should not be an attempt to pass on any overhead costs or other general expenses to you as the data subject.
Time to respond to a DSAR
The data controller must normally respond within one month of receipt of the request (Article 12(3) GDPR). , The date they need to respond by is the same day in the next calendar month, so if they receive a request on 3 June, they must respond by 3 July. If there is no corresponding day in the next month, the deadline is the last day in the month (e.g. a request received on 31 March must be responded to by 30 April).
If your request is complex or you submit a number of requests, that period can be extended by an additional two months.
If the data controller has requested information from you to verify your identify, the time period will start from the date you provide the required information.
What sort of response will I get?
Employers generally do answer Data Subject Access Requests, because if they refuse or give incomplete or inaccurate answers, they may face legal consequences.
If you make a request, you are entitled to be given a copy of any personal data you have requested (subject to any exemptions) within the statutory timeframe. The obligation is for the data controller to provide information to you, not documents. This means that you may receive the information extracted from another document or with irrelevant information redacted/ removed.
This data could be from emails, but also databases, word processing systems, instant messages, CCTV records, telephone records both for landline and mobile phones, internet logs, automated payroll systems, records of automated door entry systems such as swipe cards, and other categories of information may apply also, depending on your workplace and any data policies the company has which you may have agreed to.
If you make your request by electronic means (e.g. email), the response should also be in electronic form (Article 15(3) GDPR).
If I don’t get a reply/the information I requested
If the data controller does not reply to your request, or if it provides you with only a part of what you asked for, and you think you are entitled to receive more, you can take various steps. In the first instance, you should make a complaint to the Information Commissioner, informing the Commissioner that there has been an infringement of the GDPR (Article 77 GDPR). The Commissioner will have to make an assessment and can serve a notice on an employer requiring it to give them information. Employers generally do not like to be referred to the Information Commissioner! (Article 57(1)(f) and Article 77 read together with section 165 of the Data Protection Act 2018 (“DPA 2018”)). Here is the ICO’s complaints page.
You an also make an application to court alleging breach of subject access request rules and seeking an order for the purposes of securing compliance (sections 165 and 167, DPA 2018).
Below is an example of how to make a Data Subject Access Request in the form of a letter.
Dear [NAME OF ADDRESSEE],
DATA SUBJECT ACCESS REQUEST UNDER THE UK GENERAL DATA PROTECTION REGULATION
I am writing to make a data subject access request pursuant to Article 15 of the UK General Data Protection Regulation.
[I [am OR was employed OR engaged] by [NAME OF EMPLOYER/COMPANY] as [POSITION IN DEPARTMENT OR DIVISION] [between DATE and DATE].
OR
I applied for [role OR work] with [NAME OF EMPLOYER/COMPANY] on [DATE]. I understand that you hold and process data about me.
SCOPE OF MY REQUEST
[This is a general request that relates to any personal data processed by or on behalf of [NAME OF EMPLOYER]. To help you comply with the request, you should know that it is likely that personal data is held relating to the following matters: [SET OUT MATTERS]
OR
Although [NAME OF EMPLOYER] processes a wide range of personal data about me, this request is confined to data concerning:
- The decision to [SUBJECT MATTER].
- Allegations about [SUBJECT MATTER].
- [OTHER].
LOCATING THE PERSONAL DATA
I envisage that a number of individuals may process personal data in connection with the above. Some of the data processed will be held in the form of sent and received emails and word-processed documents. Presumably these can be identified through the use of search tools.
In relation to emails, you may limit the search to emails between [NAMES] during the period [DATES]. However, in relation to [SUBJECT MATTER] please ask [NAMES] whether any of them is aware of others who are likely to have exchanged emails containing personal data relating to me. If so, please let me know who those others are and search the emails of anyone that any of them identifies as well as those individuals mentioned above.
REQUEST FOR FURTHER INFORMATION
[I have mentioned above those individuals who I believe may have processed data about me. Amongst other aspects, I am concerned about how the [SUBJECT MATTER, FOR EXAMPLE, RECRUITMENT EXERCISE, REDUNDANCY EXERCISE] was carried out. Please could you let me know which individuals were involved in decision-making in relation to that process so that I can decide whether to make a more specific subject access request in relation to that situation].
VARIANT EXPRESSIONS OF MY NAME
My full name is spelled [NAME]. However, I am aware of people using a number of variant spellings including [VARIATIONS]. I am also referred to as [NICKNAMES] [and/or some documents may use ID Number [INSERT]]. I would like you to search for each of these variations, particularly when searching email records and other word-processed documents.
INFORMATION TO SUPPLY
Once you have identified personal data within the scope of this request, please provide a copy of the information constituting personal data and also:
- Provide a description of the data and the categories of personal data concerned.
- Explain the purposes for which the data is processed.
- Identify the source or sources of the data.
- Set out to whom the data has been disclosed or may be disclosed, in particular recipients in third countries or international organisations.
- Set out, where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period.
- State whether there has been any automated decision-making using the data, including profiling, and if so, any meaningful information about how it was based, as well as the significance and the envisaged consequences for me of such processing.
[CONFIRMATION OF IDENTITY]
[Although I assume you are aware who I am, to avoid any doubt or delay I enclose a copy of my [driving licence] [passport] to confirm my identity.]
I look forward to hearing from you within one month.
Yours faithfully,
This advice applies in England, Wales and Scotland. If you live in another part of the UK, the law may differ. Please call our helpline for more details. If you are in Northern Ireland you can visit the Labour Relations Agency or call their helpline Workplace Information Service on 03300 555 300.
If you have further questions and would like to contact our advice team please use our advice contact form below or call us.
We would love your feedback
Would your employer benefit from support from Working Families?
Would your employer benefit from some support & guidance from Working Families? If you would like to make your employer aware of how Working Families can help them, we have an introduction letter template available that you can give to the relevant person in your organisation.
The information on the law contained on this site is provided free of charge and does not, and is not intended to, amount to legal advice to any person on a specific case or matter. If you are not a solicitor, you are advised to obtain specific legal advice about your case or matter and not to rely solely on this information. Law and guidance is changing regularly in this area.
We cannot provide advice on employment rights in Northern Ireland as the law is different. You can visit the Labour Relations Agency or call their helpline Workplace Information Service on 03300 555 300.