Weekly dilemma: Subject access requests

I’ve received a letter from a current employee in which she asks for details of all personal information the company holds on her. Do I have to send her everything? What if some of the material also has information about other employees? Can she ask for information to be removed from her personnel file?

Employees have a legal right to make a “subject access request” under the Data Protection Act 1998 (DPA). This applies to information about living identifiable people (personal data) including that held in personnel records and obtained through employee monitoring.

The DPA regulates the way that personal data can be processed (ie collected, recorded, used, stored and distributed) and it gives individuals rights to access their personal data, and compensation should things go wrong. The DPA applies to computerised information (including emails, word documents and CCTV records) as well as structured manual records (ie organised filing systems where individual data can be easily located and identified).

Access to this information must be granted when an employee requests it, but you may charge a £10 fee for providing the information and you have 40 days in which to provide it from the date that payment is received.

You are right to be concerned about releasing information relating to other employees and you may be exempt from disclosing it, as it could potentially breach other employees’ right to have their data held securely under the DPA. You should consider redacting information that relates to other employees, or ask for their consent before releasing it. If, after removing information relating to other employees, it is still clear who is being described, then you may be exempt from disclosing it, depending on the circumstances – if the information is sensitive personal data, for example.

You can also, by agreement with the employee, narrow the scope of his or her request should it appears to be particularly wide ranging. In any event, information held in unstructured paper files, eg a document held by a manager in his desk drawer or a note in a supervisor’s diary, is not covered by the DPA.

If obtaining the information is particularly burdensome, you may be exempt from complying with the request, but this can only be justified by reference to the cost of gathering the information, the time it takes, the resources you have and the difficulty of obtaining the information. Remember that almost all personal data held electronically is potentially disclosable.

Other exemptions from data that can be released are:



  • information contained in management forecasting and workforce planning;
  • corporate financial information;
  • information covered by legal professional privilege;
  • information relating to negotiations with the individual; and
  • references given to you by a previous employer in confidence.


The employee could object to you holding or using information about them if it causes them distress or harm. If so, delete the information and stop using it in the manner complained about, unless you have a compelling reason to continue.

Employees have a right to claim compensation should they suffer as a result of a breach of the DPA, so it is in your interests to make sure that you respond to the subject access request adequately, as well as within the 40 day time limit.

Jenny Owens, associate solicitor, Weightmans LLP








XpertHR FAQs


Comments are closed.