Subject Access Requests - What is classed as personal data?
- AuthorNatasha Johnston
With the impending changes to data protection legislation being the hot topic in the run up to May 2018 implementation of GDPR, it is important that organisations understand their obligations to both storing and distributing data responsibly.
What is classed as personal data? - This is a question that cropping up more and more in anticipation of GDPR, particularly in the context of Subject Access Requests. The right for employees to request data in accordance with the provision of the Data Protection Act will remain largely unchanged under GDPR. However it is none- the- less causing a number of questions from our HR manager clients keen to ‘get it right.’
What is changing?
The key changes are that all hard copy files will now be in scope irrespective of how they are arranged. Additionally, the timescale is being squeezed to ‘one month’ and the ability to charge a fee (currently £10 in accordance with the DPA provisions) will be removed, save for excessive requests where a ‘reasonable fee’ can be charged.
With data audits and file cleansing well underway in anticipation of GDPR we are increasing being asked...What is classed as personal data?
In its simplest form, any piece of information that identifies a living human being is their personal data. The scope for where this could be held is endless and if you are asked to produce the data you will be expected to show that you have logically searched all places where data is held.
You may think it would be straight forward enough that you simply ‘hand over’ a copy of their personnel file, however, if ‘all data held’ is requested or an employee lists individuals who they want to receive a copy of their data from within your organisation; you will also need to consider how you ensure you can disclose the following types of data within the required timescales should they are identifiable from them:
- Meeting minutes
- Text messages
- Diary entries
- Records from computer systems
- HR records
- Recruitment records
- Personnel file
- Transcribed recorded calls
Now is the time to prepare, it is vital that staff are aware of their obligations to personal data and what they may have to disclose should a request be made.
Updating your current policies and procedures in regards to Subject Access Requests and training your staff to raise awareness is critical to ensuring compliance with data protection principles.
If you would like to discuss the contents of this article further, please feel free to contact Natasha Johnston on 01792 525478 or by emailing: firstname.lastname@example.org
Natasha is a HR Advisor within JCP's HR Services team. The team provide outsourced HR support and ongoing advice and guidance to the firm's business clients. Natasha’s experience includes providing HR advice and guidance on complex HR issues such as attendance, grievance, capability and disciplinary matters. Natasha can also provide advice and support on policy drafting and implementation, TUPE and Redundancy processes.