Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.
If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.
Subject access requests
If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.
You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.
Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.
The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.
See our guidance on the Freedom of Information (FOI) Act.
Information protected under subject access requests
You do not have to provide copies of information if the information is exempt. The exemptions include:
- information held for management planning, eg plans to promote a worker or make a worker redundant
- information as to your intentions in respect of negotiations with the requester
- references you have given about the worker in confidence (references received by you are not exempt)
- information about the prevention or detection of a crime, or the arrest or prosecution of offenders
- information that may affect the price of a company's shares
Read Information Commissioner's Office (ICO) guidance on right of access to personal data.
Keeping other workers' information confidential
When you provide the data, make sure you don't violate anyone else's data protection rights.
For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.
To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.
Workers' other rights in relation to their records
As well as the right to access data on themselves, a worker also has the right to:
- have inaccurate personal data corrected or completed if it is incomplete
- compensation for damage suffered as a result of your breach of the Act
- prevent processing likely to cause substantial damage or substantial distress
- know the logic behind any automated decision taken about them, eg psychometric testing decisions
- have personal data erased
- data portability to obtain and reuse their personal data for their own purposes across different services
- object to the processing of their personal data in certain circumstances, eg direct marketing