An employee has asked for a copy of all their personal data. Do we have to provide everything?
There are several exemptions to the requirement under data protection law for employers to provide employees with a copy of their personal data. However, these must be considered carefully and on a case by case basis.
What does data protection law say you need to provide to your employee?
You need to confirm to the employee that you process their personal data and provide a copy of the personal data you keep about them in electronic form or in a manual filing system, along with other information about how and why you use their personal data.
What are the exemptions to providing personal data?
The employee is only entitled to their own personal data. If, for example, there are documents which include information identifying the employee as well as their colleagues, then you will have to redact any information in the documents relating to the employee’s colleagues, unless they have agreed to their information being disclosed or it is reasonable to disclose the information without their consent.
In deciding what is reasonable you will need to consider all the relevant circumstances, including the type of information you propose to disclose and what steps you have taken to seek consent. If you don’t go through this process, then you may be disclosing your other employees’ personal data unlawfully.
There are also a number of other exemptions which you may be able to rely on and we have set out below the most common in employer/employee situations. You will need to record in writing your reasons for relying on a particular exemption so that you can demonstrate your compliance with data protection law.
You will not need to provide the employee with a copy of:
- Any information that is covered by legal professional privilege, which includes any correspondence with your lawyers about the employee;
- Any information processed for the purposes of management forecasting or management planning for your business, where disclosing such information would be likely to prejudice the conduct of your business. So, if you were planning to make the employee redundant, then you would not need to disclose information relating to your plans if to do so would prejudice the conduct of your business;
- Any information relating to negotiations with the employee where disclosure of the information would be likely to prejudice negotiations with that individual. If you were in the middle of pay or promotion negotiations with the employee, you would not need to disclose any information about the negotiations if it would be likely to prejudice them;
- Confidential references that you receive or provide about the employee for certain purposes.
How can we help?
We have advised clients from a wide range of sectors (including education, transport, legal, environmental, telecoms, construction, manufacturing, charity and leisure/travel) on data protection law.
If you need any assistance with responding to a data subject access request, or any other aspect of data protection law, then please get in touch with us and we will be delighted to help.
For more information about individuals’ rights, please see the article by Sarah Huck “Their Rights and your obligations under the GDPR”, or if you need further legal assistance in a GDPR matter, please contact our team of data protection solicitors.