It’s becoming more and more common to find a subject access request (SAR) going hand-in-hand with an employment dispute. We’ve even heard of these SARs being described as ‘weaponised’, meaning that the employee has made a SAR and will withdraw it only if they get the settlement that they want (it’s likely that no one will actually say this, but the intent is there).
Subject access requests in employment disputes: what employers need to know
Can an employee put in a SAR in when they are in the middle of an employment dispute?
Yes, they can. A SAR is a separate process from an employment dispute and is relatively easy for the employee to initiate, but can cause a headache for employers as they work to compile all their organisation’s data on said employee.
Can I ask the employee why they want their data or why they are putting a SAR in?
No, you can’t. In line with data protection law, a person has a right of access to the data that an organisation holds on them (subject to exemptions) and their reasons for requesting their data aren’t relevant. You may have your suspicions as to why they want their data but you can’t ask them about it.
Does the employer have to comply with a SAR?
Generally, yes, you do. However, you can refuse to comply with a SAR if it is:
- manifestly unfounded; or
- manifestly excessive.
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
How long do I have to disclose their data?
The time period for an employer to comply with a SAR is one month with a possibility of another two months for complex requests, for a total of three months in those cases.
Can I ask the employee to withdraw their SAR as part of their settlement agreement?
This is a complex area of law. Generally, a person can’t sign away their rights under a statute in a contract e.g. an employee can’t agree to be paid less than the national minimum wage.
A person can’t agree to not pursue the right of access as this is a statutory right in the UK GDPR. A person could agree to abandon a specific SAR in the settlement agreement but you can’t ask them to agree to never make another SAR. This means that the person could decide to abandon the current SAR in exchange for the settlement and then start a new one right after.
Please seek legal advice to ensure that you follow the correct process in using a settlement agreement.
Contact us for expert advice on subject access requests
If you find yourself needing to comply with a SAR but don’t know where to begin, it’s time to bring in the experts.