Dealing With Subject Access Requests
Many businesses regard the Data Protection Act 1998 as something that merely requires a lot of form filling and the payment of fees, but there is a lot more to it than that.
The purpose of the Act is to protect a person's right to privacy with regard to the processing of their personal information. Individuals (‘data subjects’ in the terminology) have the right of access to information held about them. For example, a customer of your business has the right to contact you to request a copy of any data you hold on them so that they can check it. This is called a 'subject access request' (SAR). You are required by law to supply the information requested (once you have checked that they are who they say they are, of course). The individual making the request has the right to see data held in any form, not just that held on computer, so storing information in paper form does not avoid the responsibility.
Guidance on dealing with SARs is available from the Information Commissioner's website.
If you receive a SAR, you are required to supply not only all the information you hold on the data subject but also a description of why the information is processed, details of anyone it may be passed to or seen by, and the logic involved in any automated decisions. If you unjustifiably fail to comply with a SAR, the courts may impose a fine of up to £5,000. Any person who believes they have suffered damage and/or distress as a result of a contravention of the Act may seek compensation by applying to the High Court.
In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.
The interpretation of the Court of Appeal is that ‘personal data’ has been defined in such a way that employees are only entitled to see information which is biographical ‘in a significant sense’ and which has the data subject as its focus. The mere mention of a person’s name does not entitle them to see the documents concerned.
In 2015, legislation was brought in which makes requiring a prospective employee make their own request for a Criminal Record Check unlawful.
SARs are goverened by the General Data Protection Regulation. There is guidance on this from the ICO.