I remember spending 2 hot days, a couple of summer’s ago holed up in a meeting room that was meant for 4 with 7 members of my HR team going through over a thousand pages of documents. Checking and removing any personal data that wasn’t directly related to the employee with over 10 years-service, who had decided to submit a subject access request.
We had sick notes, occupational health reports, appraisals and expired disciplinary notes for 10 years!! It was a time-consuming manual process. One I hope to never repeat!
So what’s a Subject Access Request?
Well for the cost of £10, with a turnaround time of 40 days (there are some exceptions), an individual has the right to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
- This mean data on emails, files on systems, paper documents and information in your notepads!
Know that even if you refer to someone by their initials, you would still be obligated to release those documents.
This could be an employee, job applicant, client, customer or service user. Just recently, I received a concerned email from a client, querying a subject access request from a potential employee, requesting their references. In case you were wondering references aren’t confidential, so remember that when references are requested from you!
This is why it is vital to keep ONLY what you NEED to run your business and securely dispose of the rest!
For more GDPR and general tips, check out our YouTube Channel.