Prepare for more information access requests

Compliance firm Shoosmiths raises awareness on the possibility of an increase in Subject Access Requests (see article below):

Companies should be prepared for an increase in the use of subject access requests (SARs) by individuals affected by the economic downturn.
This should not present a problem as long as businesses follow basic rules for identifying and dealing with the requests.
Individual employees facing redundancy or disciplinary action, or debtors being chased for repayment, are increasingly seeking to use their rights under the Data Protection Act 1998 to request the personal information held about them by their employers.
Often, the request will be deliberately broadly framed to cause maximum inconvenience, and may cover information considered by the business to be commercially sensitive, contain information about other individuals, or cover legal advice that has been obtained.
Fortunately for businesses, data protection legislation contains a number of exemptions from disclosure, which balance the rights of the individual against the interests of the business.
Nevertheless, businesses need to respond formally to any subject access request within the permitted time frame. To avoid the SAR gaining its own momentum, steps should be taken early on to clarify and contain the scope of the request, and identify the location of information that needs to be disclosed.
The fact that a business may be in litigation or potential litigation with an individual does not relieve that business from its obligations to comply with a valid SAR.
The individual is not required to give a reason for seeking the information, and, indeed, the individual’s motive for making the request has no bearing on the business’ obligations. Where litigation has been commenced care needs to be taken not to disclose documents that are subject to legal privilege and which are exempt from disclosure.
Golden rules
appoint someone within the organisation responsible for responding to SARs, and train staff to recognise a SAR
the response from the business must be prompt, and in any event within 40 days of the date on which a SAR was received
establish quickly if it is a valid SAR if the scope of the request is unclear, or if the fee is missing write back promptly, and do not wait until the deadline for a response
check that the information requested relates to the individual making the request, and that the request is genuine (seek further verification if in doubt)
create a process for dealing with retrieval of information in response to a SAR that allows a full response within the time allowed
Where a SAR is made by a representative on behalf of an individual, businesses should satisfy themselves that the representative is indeed authorised to make the SAR. If in doubt, documentary proof of such authorisation should be sought.
An analysis of the exemptions from disclosure available to a business in response to a SAR is outside the scope of this note. However, be aware that they broadly cover:
information which includes other people’s personal information
confidential references given by the business
information covered by legal profession privilege
management forecast information
information relevant to negotiation with the requester
information relevant to crime prevention and detection
..........................
At Powerchex we often receive calls from applicants who have either been rejected or who are curious to see what their referees have to say about them. We aim to comply with all formal SARs requests that we receive in a timely manner, however from our experience most applicants lose interest after a few days and rarely follow up with a written request. As the economic outlook deteriorates we are preparing for more formal requests and we are urging HR departments to do likewise and establish a formal process that everyone is aware of.