LRD guides and handbook November 2015

Monitoring and surveillance at work - a practical guide for trade union reps

Chapter 7

Making a Data Subject Access Request (DSAR)


[ch 7: pages 72-73]

Workers have a right to access their own personal data as long as this is held either on a computerised system or on paper and organised as a “relevant filing system”, in other words, a system that enables information to be retrieved quickly and easily. This includes data about an individual worker relating to issues such as performance management, discipline, grievances and individual sickness absence. The technical term for the request is a “Data Subject Access Request”. Workers can be asked to pay a fee but this must be limited to £10. 


The employer must respond to a written request promptly and in any case within 40 days. The request can be refused if releasing the information would:


• breach a duty of confidence to someone else (this objection can sometimes be overcome by suggesting that the identity of other individuals is covered over); 


• involve “disproportionate effort”; or


• risk damaging ongoing negotiations between the worker and their employer, for example as to pay, or involve legally privileged (i.e. confidential) communications with the employer’s solicitors about the worker.


The employer’s right to refuse to comply with a DSAR because of its “disproportionate effort” relates to the low maximum fee of £10. The fixed fee is intended to reflect the idea that information retrieval to comply with a DSAR is supposed to be a simple administrative step, requiring minimal thought and effort. The rule of thumb is that a newish temp should be able to retrieve it easily. The best way to avoid this objection is by keeping any request simple, specific and straightforward, and confined to information you really need, rather than “fishing” more generally. Using precise dates and names is a good idea.


There is no right of access under the DPA to management planning data where this would prejudice the conduct of the business, for example, future plans about redundancy or reorganisation. 


It is worth remembering that an email system such as Microsoft Outlook is likely to be a “relevant filing system” for the purposes of the DPA. Any request for copies of emails should be as specific as possible, to overcome an objection that the request is disproportionate. Where possible this should identify clearly the names of senders and recipients, with approximate dates. 


Guidance on making requests is available on the ICO website. See: https://ico.org.uk/for-the-public/personal-information