Data subject access requests 



Workers have a right to access their data by making a written request known as a “data subject access request”. Under the GDPR (and section 43, Data Protection Bill) the request must be free of charge (the £10 fee can no longer be charged) unless a request is “manifestly unfounded or excessive, in particular because of its repetitive character”, in which case a “reasonable fee” can be charged to reflect administrative costs. There is no need to say why you want the information. 


The GDPR has abolished the 40-day timeframe, replacing it with an obligation to respond “without undue delay” and at the latest within one month of the request. If a request is complex, this timeframe can be extended by two more months. There are some grounds for limiting or refusing the request, for example, to avoid obstructing an official investigation. 


Employers cannot refuse a data subject access request on the basis that the person plans to use the information to bring a legal claim against them (Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74). 


In future, the ICO will be able to bring criminal proceedings against a data controller who alters records in order to prevent disclosure following a subject access request.