Charlotte Farrell | Partner | Employment | Southampton Skip to content

Charlotte Farrell

Partner - Employment & Immigration

My experience

Employment Law

I am an employment specialist with over 10 years’ experience in employment law and HR matters, regularly advising both employers and employees with all areas of employment law and in particular:

  • day to day HR issues and enquiries;
  • grievance and disciplinary processes;
  • performance and absence management processes;
  • protected conversations and settlement agreements;
  • drafting employment contracts and staff handbooks;
  • the enforceability of restrictive covenants;
  • ET and EAT litigation;
  • discrimination and whistleblowing claims;
  • redundancy and restructuring advice;
  • TUPE;
  • advice on employment status;
  • corporate support work during the sale and purchase of a company and to set up directorship arrangements (both non-executive and executive); and
  • GDPR in the employment and HR context.

I have particular expertise in providing corporate support to companies during the due diligence process of buying and selling a company and GDPR in an employment context.

I provide in house training to HR teams and managers and regularly deliver our line manager training programme to small groups of attendees.

I am a member of the Employment Lawyers Association.  

Immigration Law

I also advise on a range of business and personal immigration issues.

Business immigration

I regularly support companies navigate the complexities of the immigration system, in particular:

  • advice on becoming a sponsor;
  • assistance with the application process to become a sponsor;
  • advice on sponsoring a specific employee to work in the UK and the process to follow;
  • compliance with sponsor duties and reporting relevant issues to the Home office;
  • conducting appropriate right to work checks; and
  • the rights of EU nationals to work in the UK after Brexit and the steps a business must take.

Personal immigration

I also regularly advise individuals on their personal immigration situation and applications, in particular:

  • spousal and dependent applications to come to the UK or extend their right to be in the UK;
  • applications for indefinite leave to remain in the UK;
  • applications to naturalise as a British citizen and gain a British passport; and
  • advice to EU nationals on their options for remaining in the UK after Brexit

I am a member of the Immigration Law Practitioners Association (ILPA).

I strongly believe in working alongside our clients to identify their preferred outcome and take steps to achieve that outcome, whilst working within the legal framework available to them. I take time to get to know our clients and their businesses so that the advice I give is tailored specifically to them and their organisation.

I provide practical advice to our clients that they can implement straight away to manage the situation they are handling.  I use my previous experience to give HR managers and business owners the tools they need to identify issues which may become problematic at an early stage and to act proactively to prevent situations escalating.

As all clients have different ways they prefer to receive advice from us, I work with our clients to identify their preferences and then where possible provide advice in this way to them to make the process as seamless as possible for them; whether that be practical advice on the telephone or email, template documents for them to adapt or a detailed legal advice letter.

I use my commercial knowledge and industry expertise to help my clients achieve their aims whilst minimising their risks as much as possible.

Where a situation creates risks for our clients I explain those risks but look for solutions to reduce them as much as possible and give our clients the most straightforward approach to take.

Insights from Charlotte Farrell

Articles

The future of the Seasonal Worker Scheme for horticulture and viticulture

Read article

Immigration update: two new changes for Spring 2024

Read article

Changes to paternity leave announced for 2024

Read article

Menopause and Employment Law : An employer's obligations

Read article

Podcasts

Charlotte Farrell and Ryan Mitchell | 27th October 2022

Subject Access Request

LISTEN TRANSCRIPT

Charlotte Farrell and Ryan Mitchell | 27th October 2022

Subject Access Request

The Paris Smith Employment Podcast is a regular podcast that discusses all things related to employment law. The podcast is hosted by Charlotte Farrell and Ryan Mitchell, both are lawyers at Paris Smith LLP. In today's episode, they discuss subject access requests and the key things businesses need to know about them. The GDPR was introduced in 2018 and has led to individuals becoming much more aware of their rights regarding their personal data. As a result, Paris Smith has seen more people making subject access requests.

You can find out more info here: https://parissmith.co.uk/your-business/commercial-law/data-protection-and-gdpr/


01:00:00 - The right to access personal data held by organisations is a legal right given to individuals.

02:00:00 - Personal data is any information that relates to an identified or identifiable living individual.

06:30:00 - Anonymised data can be excluded from a subject access request.

07:00:00 - Subject access requests are being used more often as a way to find information for employment tribunal claims.

07:54:00 - The main use for subject access requests in a commercial setting is to upgrade complaints to "super complaints."

09:00:00 - The main points to consider when dealing with a subject access request are verifying the requester's identity, diarising key dates, and trying to locate the requested information.

11:17:00 - Subject access requests are usually free, except for when they are excessive. If someone refuses to pay or withdraws their request, businesses may have trouble recovering costs.

13:38:00 - The business doesn't have to send everything to the individual who they find. Someone needs to go through it and identify any documents which don't need to be disclosed.

15:00:00 - Organisations need to include a cover letter with personal data when sending it to someone in response to a subject access request.

16:20:00 - Employees use subject access requests to check their personal data is being processed correctly and tactically.

18:16:00 - The government is proposing to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee.

19:19:00 - The word vexatious could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer.

19:50:00 - The top tip for dealing with subject access requests is to have a written procedure and use systems which allow for personal data to be easily searched, reviewed and extracted.

21:07:00 - HR and line managers should train all staff on the GDPR and data protection issues, including subject access requests. Staff should be aware of what they can and cannot do with personal information. Deleted emails are still searchable.

23:25:00 - The risks of getting subject access requests wrong include complaints to the Information Commissioner's Office and investigations which can lead to instructions on how to correct procedures.

Transcript

Welcome to the latest edition of the Paris Smith Employment Podcast.

I’m Charlotte Farrell and for today’s podcast we are very pleased to also welcome a guest from our commercial team, our colleague Ryan Mitchell.

We regularly work alongside Ryan on all things GDPR and data protection related and today we’re delighted that he’s joined us to discuss subject access requests and the key things businesses need to know about them. With the arrival of the GDPR in 2018, data protection and the rights of individuals when it comes to their personal data has come to the forefront of many people’s minds.

We are definitely finding that individuals are much more aware of their rights when it comes to how their personal data is handled and we have seen an increase in people, not just employees, bringing subject access requests against business. This brings with it many practical issues need to bear in mind when carrying out their day to day tasks.

So today we’re going to look at some of these issues, not only from the employment angle but also the general issues businesses should be aware of.

So I suppose the first thing we should talk about is what a subject access request is. Ryan, can you give us a brief overview of what a subject access request is.

Of course! A subject access request is a request by an individual (which can be verbal, in writing or via an automated system) to receive copies of the personal information which an organisation holds about them. We call that personal information ‘personal data’.

When making a subject access request, the individual can also ask for additional information about how and why the organisation uses their personal data.

Individuals have a legal right to make subject access requests. This is called the ‘right of access’. It’s a right which is specifically set out in data protection law. Because it’s a legal right, organisations have a legal duty to respond to a subject access request, subject to some very limited exceptions which we’ll come on to.

So it’s a really broad right in that case then which can be very time consuming for a business to comply with. When you say, “personal data” or personal information, what does that cover. Is it any time that someone’s name is mentioned or is it more limited?

So 'personal data' means any information that relates to an identified or identifiable living individual. That individual is called the “data subject” in data protection speak.

To work out whether a piece of information is classified as ‘personal data’ it’s helpful to ask two questions:

1. Does the information identify a living individual? The information could be identifying on its own, for example a person’s name. Alternatively, it might be possible to combine this piece of information with other information the organisation holds (or may in the future hold) in order to identify someone. For example, an employee number can be combined with HR records to work out which specific individual in the business has that employee number.

If we’re combining information to identify a person then we call that ‘indirectly’ identifying personal data. If it’s obvious from the piece of information alone who the person is then it’s ‘directly’ identifying personal data.

2. The second question we need to ask ourselves is whether the information ‘relates to’ the individual. It’s not enough just to be able to identify the individual from the information. The information must ‘concern’ the individual in some way.

Let’s take two examples: the statement “Joe Bloggs lives at 15 Beachcroft Road” and a personnel file note that says “Mary Stewart is dishonest and I think she has been stealing from us”. These are both pieces of personal data. We know this because:

The answer to our first question - does the information identify a living individual - is yes. Each of these two statements contains the individual’s name, meaning they are directly identified.

The answer to our second question - does the information relate to the individual - is also yes. The statement about Joe Bloggs’ address relates to where he lives. The note about Mary relates to her work performance and her integrity as an employee.

Because these are statements containing each individual’s personal data, they would need to be disclosed following a subject access request.

However, let’s take another example. Say we have hundreds of work emails with Joe Bloggs’ name on where the content of the email doesn’t relate to Joe Bloggs as an individual. In that situation, Joe Bloggs’ name and email address on those emails would identify him (so the answer to our first question is ‘yes’) but these pieces of information don’t actually ‘relate to’ Joe (so the answer to our second question is ‘no). Rather, they’re just a record of who sent or received the emails. In this scenario, the emails wouldn’t need to be disclosed in response to a subject access request. The situation would be different if the substance of the emails did actually relate to Joe. For example, because they discussed his performance at work.

The second question, of whether information ‘relates to’ an individual, can lead to some grey areas. When these types of questions arise, a good starting point would be the ICO’s guidance (available online at www.ico.org.uk). The guidance includes a number of worked examples which are really helpful.

But what if the data is anonymised, does it still count as personal data then?

No – if the data is anonymised then isn’t treated as personal data. This is because it doesn’t identify a living individual. Provided you’re confident that the data is truly anonymised, it can be excluded from a subject access request.

Thanks Ryan for that very clear explanation. For three little words the process actually has some quite big implications and many businesses don’t understand that until they have to deal with it in practice themselves. We have definitely found over recent months and particularly since 2018 and the introduction of the GDPR that individuals are much quicker to make a subject access request and much more aware of what thy should be sent. Even though it wasn’t what the process was set up for, we’ve always seen them used in the employment world as a fishing expedition to see if there is are any juicy documents that its worth using to start a tribunal claim. If anything that has got worse since the GDPR.

Ryan, are there any particular ways that you regularly see them used in the purely commercial setting by clients or customers of business?

In a similar vein, we sometimes see customers make subject access requests if there’s a dispute. It’s a very easy way for an individual to upgrade their complaint to a ‘super complaint’ which can take a lot of time and sometimes money to respond to.

The main protection against these sorts of complaints is to have a good subject access procedure in place in readiness. When choosing new IT systems, it’s also a good idea to think about how easy it will be to search for personal data and extract it from the new system if a subject access request is received. This thought process when choosing or developing new systems is known as ‘privacy by design’.

Ok so I think it makes sense to now touch on the process a business should follow if someone makes a subject access request. If someone makes a subject access request there are key steps to take:

Firstly, always check the identify of the person making the request to make sure that it isn’t someone trying to commit fraud. If it’s an employee or someone the business knows personally you can speak to them to check the request came from them. Otherwise you can ask for ID such as a passport or drivers licence or copy of a bill to check the request is legitimate.

Secondly, make sure you diarise the key dates. Since the introduction of the GDPR you have 1 month to process the request. This can be extended by a further two months if the request is particular large or complex. If that’s the case you have to update the person and tell them that you need more time with the first one month time frame so make sure those dates go in the diary and don’t leave dealing with the request until the last minute. In some cases it can take a long time to go through all the documents produced so it’s worth starting early!

Thirdly, always check that the subject access request makes sense and that you understand what they’re asking for. if not you can go back to them to clarify the request and ask them to provide more information. The ICO doesn’t like companies that always ask for clarification though so make sure there is a legitimate reason for asking. The clock stops while you’re waiting to hear back from the person so this can be helpful when the request is very big.

Once you know what is being asked for the business must make reasonable efforts to find the information that was requested. They don’t have to conduct searches which would be unreasonable or disproportionate but will need to explain what searches they have done and why. It might involve searching servers, data bases, email folders and paper filing systems.

Ryan do you want to tell us a bit more about the costs of a subject access request.

Yes of course. So normally a business can’t charge someone if they make a subject access request – there used to be a £10 admin fee but that doesn’t exist anymore.

Now, the only times a business can charge for responding to a subject access request is if:
1. the request is ‘manifestly unfounded’ or ‘excessive’; or
2. the organisation is being asked to provide copies of information which the individual already has.

In either of these scenarios the organisation can charge a ‘reasonable fee’. Alternatively, if the request is ‘manifestly unfounded or excessive’ then the organisation can refuse to process the request altogether.

If you’re thinking of trying to charge the individual then it would be sensible to double-check with them that they still want to proceed, before carrying out any activities which you would look to charge for. If the individual refuses to pay, and you’ve already incurred the costs, then you may struggle to recover the money. If the individual withdraws their request, or part of their request, then you’ve saved the effort and cost of having to respond to it.

Additionally, we’d always recommend taking advice if you suspect a request is ‘manifestly unfounded’ or ‘excessive’. If the data subject complains to the ICO that you’ve unfairly refused to respond to the subject access request for these reasons then the ICO might want to double-check your reasoning. You may face a enforcement action (which could include a fine) if you got it wrong and failed to respond to a valid request.

For this reason, it’s good practice to still process the parts of the request which you don’t object to and then explain in the cover letter why you couldn’t or wouldn’t respond to the other parts of the request. The ICO will see this as a better compromise than refusing to comply with the entire request.
Leading on from this, Charlotte, does the business have to send everything to the individual that they find?

That’s a really good point and one that is often forgotten about. The simple answer is no. Once the company has found all the documents containing the personal information requested, someone needs to go through it and identify any documents which don’t need to be disclosed. There is a long list but some of the most common ones we are see are documents which also identify other people, documents which are covered by legal professional privilege, references, documents for the purposes of management forecasting or business planning which would prejudice the business if the information got out (i.e. a planned redundancy programme) and documents about negotiations between the parties which could cause problems in the negotiations if they were shared.

If any of this information is found the business needs to consider whether the document can be redacted to remove the personal information or whether consent can be obtained from the other people named in the document. If not then this can be withheld and a note added to the cover letter to explain this.

So having mentioned the cover letter, Ryan I know these are letters that you often have to put together for clients when they are responding to subject access requests, what information do businesses have to put in the cover letter when they send the personal information to someone.

Yes, the letter is an important part of the process. The ICO guidance sets out what information has to be in the letter and says which documents need to be sent with it. Often the letter is repeating information that is already set out in the organisation’s Privacy Notice or Privacy Policy, and so much of the content can be adapted from there.

I won’t summarise every item that needs to go in the cover letter, but it’s basically the ‘what, why, where and how long’ of the organisation’s data processing activities. The individual also needs to be reminded of their legal rights, including the right to complain. I’d recommend double-checking the comprehensive list of information in the ICO’s guidance before the cover letter is sent, just to ensure that everything has been covered.

Charlotte, you mentioned earlier that you often see unhappy employees sending subject access requests to their employers. Would you like to talk more about the trends you’ve seen with these types of request?

Yes we definitely do. I’m not sure employees always use them, in the right way though. the idea of a subject access request was so that an individual could check a business was processing their personal data in the correct way and for the reasons it was given to them. For example, not selling their contact details to people who want to sell them new windows, or sharing their health information with insurance companies. In the employment world, people tend to use them in a more tactical way.

We regularly see individuals make a subject access request at the same time as they raise a grievance to complain about something happening at work. Or if they are trying to negotiate a settlement package from their employer, an employee will make a subject access request in the hope that dealing with it will be too difficult for the employer and they will agree to the payment to avoid having to do so. Employees do also do it as a fishing exercise to decide whether or not they want to bring a claim and IU would say that more often than not they bring them for the nuisance factor. Sometimes this works and the employer responds to it, in other situations it annoys the employer and they dig their heels in and comply with the request to avoid giving in to what they can perceive as a threat.

Interesting. From the organisation’s perspective, it’s unfortunate that the law can be used in this way.

I know that last year the government consulted on whether to reintroduce a nominal fee for making subject access requests, like the £10 charge we had under the old law. In the end they decided not to go ahead with it.

Following that same consultation the government did decide to proceed with looking to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee to respond. You’ll remember from earlier that the current threshold is that the request needs to be ‘manifestly unfounded’ or ‘excessive’. In response to the consultation, the government said they would look to reduce this so that the organisation only needs to show that the request was ‘vexatious ‘or ‘excessive’.

This approach hasn’t been finalised but do you see this change as being a positive for employers?

Yes I really think it would be. We often see the word vexatious used to describe things in the employment world and it could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer. Those types of requests weren’t stopped by the “manifestly unfounded” Category as it didn’t quite fit!

What would your top tip for dealing with subject access requests be Ryan?

I previously mentioned that it’s important for organisations to have a written subject access request procedure. This ensures all the key personnel involved in responding to a subject access request know what to do and can take action within the legal time limit. Where possible, this should be supported by the organisation using systems which allow for personal data to be easily searched for, reviewed and extracted following a subject access request. If searching and collating the data is an issue then there are third party service providers who can help with this process, although they can be costly to use.

A data audit of the organisation’s systems can reveal which repositories of data are most likely to cause an issue. Often these are old, legacy systems or paper-based records which can’t be easily searched. The organisation might want to prioritise searching those sources first when receiving a subject access request. That way they don’t overrun the deadline to respond.

Charlotte, is there anything else which HR teams and line managers can specifically do to prepare for the eventuality of receiving a subject access request?

There definitely are and it is worth investing some time in training all those with line management responsibilities in them to try and make the process as easy as possible if someone does make a subject access request. Some common sense things are :
- to make sure email and filing systems are kept up to date and are easily searchable
- to keep all HR related emails and documents together in one central system and not on individual email accounts or hard drives
- be careful about what is said by email – if in doubt have a conversation
- when writing internal notes and emails, bear in mind that the person it is about and/or a judge could potentially read it in the future. If you wouldn’t want them to read it then reconsider what you’re writing

We also recommend all staff have training on the GDPR and data protection issues in general, including subject access requests so they know what they are and how they fit into the business. This doesn’t just apply to those who manage staff anyone who handles personal information about clients, customers or employees should be aware of the legislation and duties and know what they should and shouldn’t do.

It’s also important to remember that deleted emails are also searchable and so just because something has been deleted doesn’t guarantee that

Before we end our discussion on subject access requests today, I think its worth us just briefly touching on the risks of getting it wrong as well. Ryan do you want to share some final thoughts with us about that?

Of course. If the data subject doesn’t think that the organisation has complied with the process properly then they can complain to the Information Commissioner’s Office (the ICO). The ICO may launch an investigation in response to the complaint. It will take management time (and possibly legal fees) for the organisation to respond to the ICO’s enquiries.

If the ICO finds that the organisation has not followed the law then it may give binding instructions on how the organisation should correct its procedures and documentation. If there has been a serious breach of the law then the ICO might use its other enforcement powers, such as publishing a public notice about the breaches (which can lead to reputational damage) and/or issuing fines.
It’s therefore worth investing the time to ensure you respond to subject access requests properly and promptly first time around!

So that brings us to an end of our brief foray into data protection and subject access requests. Thank you to Ryan for being our first guest star on the employment podcast and thank you to you all for joining us too. We hope you found it useful. For further information in relation to the issues we have discussed today, please contact us via our website www.parissmith.co.uk or find us on LinkedIn.

LISTEN

Tabytha Cunningham and Charlotte Farrell | 3rd February 2022

Hybrid and Remote Working: Practical Implications for Employers

LISTEN TRANSCRIPT

Tabytha Cunningham and Charlotte Farrell | 3rd February 2022

Hybrid and Remote Working: Practical Implications for Employers

Remote and hybrid working has now become the norm for many businesses. Not only can there be various benefits to this flexibility, but more and more prospective employees look for this when applying for roles.

Employers who have embraced remote and hybrid working however need to ensure they are doing this compliantly; it's crucial to have the right policies in place and employment contracts.

Employment experts Tabytha Cunningham and Charlotte Farrell discuss in our latest episode.

Find our more: parissmith.co.uk/your-business/employment-law/

Download our guide to hybrid working: parissmith.co.uk/wp-content/uploa…brid-working.pdf

00:45
Why should employers formalise their remote working practices?
Employers need to think about how they can support employees who are now permanently working from home.

02:33
What steps do employers need to take to formalise these new processes? Charlotte and Tabytha talk about the importance of having a hybrid working policy and what this should include.

04:35
Key practical considerations - our experts cover health and safety, risk assessments and data protection obligations in relation to hybrid and remote workers.

07:15
How employers can best support their remote employees and the importance of using appraisal procedures effectively.

09:35
Issues with international employees. If employers are happy with having staff in other locations, what practically do they need to think about?

LISTEN

Videos

Subject Access Request

TRANSCRIPT

Charlotte Farrell and Ryan Mitchell | 3rd November 2022

Subject Access Request

The Paris Smith Employment Podcast is a regular podcast that discusses all things related to employment law. The podcast is hosted by Charlotte Farrell and Ryan Mitchell, both are lawyers at Paris Smith LLP. In today's episode, they discuss subject access requests and the key things businesses need to know about them. The GDPR was introduced in 2018 and has led to individuals becoming much more aware of their rights regarding their personal data. As a result, Paris Smith has seen more people making subject access requests.

You can find out more info here: https://parissmith.co.uk/your-business/commercial-law/data-protection-and-gdpr/


01:00:00 - The right to access personal data held by organisations is a legal right given to individuals.

02:00:00 - Personal data is any information that relates to an identified or identifiable living individual.

06:30:00 - Anonymised data can be excluded from a subject access request.

07:00:00 - Subject access requests are being used more often as a way to find information for employment tribunal claims.

07:54:00 - The main use for subject access requests in a commercial setting is to upgrade complaints to "super complaints."

09:00:00 - The main points to consider when dealing with a subject access request are verifying the requester's identity, diarising key dates, and trying to locate the requested information.

11:17:00 - Subject access requests are usually free, except for when they are excessive. If someone refuses to pay or withdraws their request, businesses may have trouble recovering costs.

13:38:00 - The business doesn't have to send everything to the individual who they find. Someone needs to go through it and identify any documents which don't need to be disclosed.

15:00:00 - Organisations need to include a cover letter with personal data when sending it to someone in response to a subject access request.

16:20:00 - Employees use subject access requests to check their personal data is being processed correctly and tactically.

18:16:00 - The government is proposing to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee.

19:19:00 - The word vexatious could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer.

19:50:00 - The top tip for dealing with subject access requests is to have a written procedure and use systems which allow for personal data to be easily searched, reviewed and extracted.

21:07:00 - HR and line managers should train all staff on the GDPR and data protection issues, including subject access requests. Staff should be aware of what they can and cannot do with personal information. Deleted emails are still searchable.

23:25:00 - The risks of getting subject access requests wrong include complaints to the Information Commissioner's Office and investigations which can lead to instructions on how to correct procedures.

Transcript

Welcome to the latest edition of the Paris Smith Employment Podcast.

I’m Charlotte Farrell and for today’s podcast we are very pleased to also welcome a guest from our commercial team, our colleague Ryan Mitchell.

We regularly work alongside Ryan on all things GDPR and data protection related and today we’re delighted that he’s joined us to discuss subject access requests and the key things businesses need to know about them. With the arrival of the GDPR in 2018, data protection and the rights of individuals when it comes to their personal data has come to the forefront of many people’s minds.

We are definitely finding that individuals are much more aware of their rights when it comes to how their personal data is handled and we have seen an increase in people, not just employees, bringing subject access requests against business. This brings with it many practical issues need to bear in mind when carrying out their day to day tasks.

So today we’re going to look at some of these issues, not only from the employment angle but also the general issues businesses should be aware of.

So I suppose the first thing we should talk about is what a subject access request is. Ryan, can you give us a brief overview of what a subject access request is.

Of course! A subject access request is a request by an individual (which can be verbal, in writing or via an automated system) to receive copies of the personal information which an organisation holds about them. We call that personal information ‘personal data’.

When making a subject access request, the individual can also ask for additional information about how and why the organisation uses their personal data.

Individuals have a legal right to make subject access requests. This is called the ‘right of access’. It’s a right which is specifically set out in data protection law. Because it’s a legal right, organisations have a legal duty to respond to a subject access request, subject to some very limited exceptions which we’ll come on to.

So it’s a really broad right in that case then which can be very time consuming for a business to comply with. When you say, “personal data” or personal information, what does that cover. Is it any time that someone’s name is mentioned or is it more limited?

So 'personal data' means any information that relates to an identified or identifiable living individual. That individual is called the “data subject” in data protection speak.

To work out whether a piece of information is classified as ‘personal data’ it’s helpful to ask two questions:

1. Does the information identify a living individual? The information could be identifying on its own, for example a person’s name. Alternatively, it might be possible to combine this piece of information with other information the organisation holds (or may in the future hold) in order to identify someone. For example, an employee number can be combined with HR records to work out which specific individual in the business has that employee number.

If we’re combining information to identify a person then we call that ‘indirectly’ identifying personal data. If it’s obvious from the piece of information alone who the person is then it’s ‘directly’ identifying personal data.

2. The second question we need to ask ourselves is whether the information ‘relates to’ the individual. It’s not enough just to be able to identify the individual from the information. The information must ‘concern’ the individual in some way.

Let’s take two examples: the statement “Joe Bloggs lives at 15 Beachcroft Road” and a personnel file note that says “Mary Stewart is dishonest and I think she has been stealing from us”. These are both pieces of personal data. We know this because:

The answer to our first question - does the information identify a living individual - is yes. Each of these two statements contains the individual’s name, meaning they are directly identified.

The answer to our second question - does the information relate to the individual - is also yes. The statement about Joe Bloggs’ address relates to where he lives. The note about Mary relates to her work performance and her integrity as an employee.

Because these are statements containing each individual’s personal data, they would need to be disclosed following a subject access request.

However, let’s take another example. Say we have hundreds of work emails with Joe Bloggs’ name on where the content of the email doesn’t relate to Joe Bloggs as an individual. In that situation, Joe Bloggs’ name and email address on those emails would identify him (so the answer to our first question is ‘yes’) but these pieces of information don’t actually ‘relate to’ Joe (so the answer to our second question is ‘no). Rather, they’re just a record of who sent or received the emails. In this scenario, the emails wouldn’t need to be disclosed in response to a subject access request. The situation would be different if the substance of the emails did actually relate to Joe. For example, because they discussed his performance at work.

The second question, of whether information ‘relates to’ an individual, can lead to some grey areas. When these types of questions arise, a good starting point would be the ICO’s guidance (available online at www.ico.org.uk). The guidance includes a number of worked examples which are really helpful.

But what if the data is anonymised, does it still count as personal data then?

No – if the data is anonymised then isn’t treated as personal data. This is because it doesn’t identify a living individual. Provided you’re confident that the data is truly anonymised, it can be excluded from a subject access request.

Thanks Ryan for that very clear explanation. For three little words the process actually has some quite big implications and many businesses don’t understand that until they have to deal with it in practice themselves. We have definitely found over recent months and particularly since 2018 and the introduction of the GDPR that individuals are much quicker to make a subject access request and much more aware of what thy should be sent. Even though it wasn’t what the process was set up for, we’ve always seen them used in the employment world as a fishing expedition to see if there is are any juicy documents that its worth using to start a tribunal claim. If anything that has got worse since the GDPR.

Ryan, are there any particular ways that you regularly see them used in the purely commercial setting by clients or customers of business?

In a similar vein, we sometimes see customers make subject access requests if there’s a dispute. It’s a very easy way for an individual to upgrade their complaint to a ‘super complaint’ which can take a lot of time and sometimes money to respond to.

The main protection against these sorts of complaints is to have a good subject access procedure in place in readiness. When choosing new IT systems, it’s also a good idea to think about how easy it will be to search for personal data and extract it from the new system if a subject access request is received. This thought process when choosing or developing new systems is known as ‘privacy by design’.

Ok so I think it makes sense to now touch on the process a business should follow if someone makes a subject access request. If someone makes a subject access request there are key steps to take:

Firstly, always check the identify of the person making the request to make sure that it isn’t someone trying to commit fraud. If it’s an employee or someone the business knows personally you can speak to them to check the request came from them. Otherwise you can ask for ID such as a passport or drivers licence or copy of a bill to check the request is legitimate.

Secondly, make sure you diarise the key dates. Since the introduction of the GDPR you have 1 month to process the request. This can be extended by a further two months if the request is particular large or complex. If that’s the case you have to update the person and tell them that you need more time with the first one month time frame so make sure those dates go in the diary and don’t leave dealing with the request until the last minute. In some cases it can take a long time to go through all the documents produced so it’s worth starting early!

Thirdly, always check that the subject access request makes sense and that you understand what they’re asking for. if not you can go back to them to clarify the request and ask them to provide more information. The ICO doesn’t like companies that always ask for clarification though so make sure there is a legitimate reason for asking. The clock stops while you’re waiting to hear back from the person so this can be helpful when the request is very big.

Once you know what is being asked for the business must make reasonable efforts to find the information that was requested. They don’t have to conduct searches which would be unreasonable or disproportionate but will need to explain what searches they have done and why. It might involve searching servers, data bases, email folders and paper filing systems.

Ryan do you want to tell us a bit more about the costs of a subject access request.

Yes of course. So normally a business can’t charge someone if they make a subject access request – there used to be a £10 admin fee but that doesn’t exist anymore.

Now, the only times a business can charge for responding to a subject access request is if:
1. the request is ‘manifestly unfounded’ or ‘excessive’; or
2. the organisation is being asked to provide copies of information which the individual already has.

In either of these scenarios the organisation can charge a ‘reasonable fee’. Alternatively, if the request is ‘manifestly unfounded or excessive’ then the organisation can refuse to process the request altogether.

If you’re thinking of trying to charge the individual then it would be sensible to double-check with them that they still want to proceed, before carrying out any activities which you would look to charge for. If the individual refuses to pay, and you’ve already incurred the costs, then you may struggle to recover the money. If the individual withdraws their request, or part of their request, then you’ve saved the effort and cost of having to respond to it.

Additionally, we’d always recommend taking advice if you suspect a request is ‘manifestly unfounded’ or ‘excessive’. If the data subject complains to the ICO that you’ve unfairly refused to respond to the subject access request for these reasons then the ICO might want to double-check your reasoning. You may face a enforcement action (which could include a fine) if you got it wrong and failed to respond to a valid request.

For this reason, it’s good practice to still process the parts of the request which you don’t object to and then explain in the cover letter why you couldn’t or wouldn’t respond to the other parts of the request. The ICO will see this as a better compromise than refusing to comply with the entire request.
Leading on from this, Charlotte, does the business have to send everything to the individual that they find?

That’s a really good point and one that is often forgotten about. The simple answer is no. Once the company has found all the documents containing the personal information requested, someone needs to go through it and identify any documents which don’t need to be disclosed. There is a long list but some of the most common ones we are see are documents which also identify other people, documents which are covered by legal professional privilege, references, documents for the purposes of management forecasting or business planning which would prejudice the business if the information got out (i.e. a planned redundancy programme) and documents about negotiations between the parties which could cause problems in the negotiations if they were shared.

If any of this information is found the business needs to consider whether the document can be redacted to remove the personal information or whether consent can be obtained from the other people named in the document. If not then this can be withheld and a note added to the cover letter to explain this.

So having mentioned the cover letter, Ryan I know these are letters that you often have to put together for clients when they are responding to subject access requests, what information do businesses have to put in the cover letter when they send the personal information to someone.

Yes, the letter is an important part of the process. The ICO guidance sets out what information has to be in the letter and says which documents need to be sent with it. Often the letter is repeating information that is already set out in the organisation’s Privacy Notice or Privacy Policy, and so much of the content can be adapted from there.

I won’t summarise every item that needs to go in the cover letter, but it’s basically the ‘what, why, where and how long’ of the organisation’s data processing activities. The individual also needs to be reminded of their legal rights, including the right to complain. I’d recommend double-checking the comprehensive list of information in the ICO’s guidance before the cover letter is sent, just to ensure that everything has been covered.

Charlotte, you mentioned earlier that you often see unhappy employees sending subject access requests to their employers. Would you like to talk more about the trends you’ve seen with these types of request?

Yes we definitely do. I’m not sure employees always use them, in the right way though. the idea of a subject access request was so that an individual could check a business was processing their personal data in the correct way and for the reasons it was given to them. For example, not selling their contact details to people who want to sell them new windows, or sharing their health information with insurance companies. In the employment world, people tend to use them in a more tactical way.

We regularly see individuals make a subject access request at the same time as they raise a grievance to complain about something happening at work. Or if they are trying to negotiate a settlement package from their employer, an employee will make a subject access request in the hope that dealing with it will be too difficult for the employer and they will agree to the payment to avoid having to do so. Employees do also do it as a fishing exercise to decide whether or not they want to bring a claim and IU would say that more often than not they bring them for the nuisance factor. Sometimes this works and the employer responds to it, in other situations it annoys the employer and they dig their heels in and comply with the request to avoid giving in to what they can perceive as a threat.

Interesting. From the organisation’s perspective, it’s unfortunate that the law can be used in this way.

I know that last year the government consulted on whether to reintroduce a nominal fee for making subject access requests, like the £10 charge we had under the old law. In the end they decided not to go ahead with it.

Following that same consultation the government did decide to proceed with looking to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee to respond. You’ll remember from earlier that the current threshold is that the request needs to be ‘manifestly unfounded’ or ‘excessive’. In response to the consultation, the government said they would look to reduce this so that the organisation only needs to show that the request was ‘vexatious ‘or ‘excessive’.

This approach hasn’t been finalised but do you see this change as being a positive for employers?

Yes I really think it would be. We often see the word vexatious used to describe things in the employment world and it could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer. Those types of requests weren’t stopped by the “manifestly unfounded” Category as it didn’t quite fit!

What would your top tip for dealing with subject access requests be Ryan?

I previously mentioned that it’s important for organisations to have a written subject access request procedure. This ensures all the key personnel involved in responding to a subject access request know what to do and can take action within the legal time limit. Where possible, this should be supported by the organisation using systems which allow for personal data to be easily searched for, reviewed and extracted following a subject access request. If searching and collating the data is an issue then there are third party service providers who can help with this process, although they can be costly to use.

A data audit of the organisation’s systems can reveal which repositories of data are most likely to cause an issue. Often these are old, legacy systems or paper-based records which can’t be easily searched. The organisation might want to prioritise searching those sources first when receiving a subject access request. That way they don’t overrun the deadline to respond.

Charlotte, is there anything else which HR teams and line managers can specifically do to prepare for the eventuality of receiving a subject access request?

There definitely are and it is worth investing some time in training all those with line management responsibilities in them to try and make the process as easy as possible if someone does make a subject access request. Some common sense things are :
- to make sure email and filing systems are kept up to date and are easily searchable
- to keep all HR related emails and documents together in one central system and not on individual email accounts or hard drives
- be careful about what is said by email – if in doubt have a conversation
- when writing internal notes and emails, bear in mind that the person it is about and/or a judge could potentially read it in the future. If you wouldn’t want them to read it then reconsider what you’re writing

We also recommend all staff have training on the GDPR and data protection issues in general, including subject access requests so they know what they are and how they fit into the business. This doesn’t just apply to those who manage staff anyone who handles personal information about clients, customers or employees should be aware of the legislation and duties and know what they should and shouldn’t do.

It’s also important to remember that deleted emails are also searchable and so just because something has been deleted doesn’t guarantee that

Before we end our discussion on subject access requests today, I think its worth us just briefly touching on the risks of getting it wrong as well. Ryan do you want to share some final thoughts with us about that?

Of course. If the data subject doesn’t think that the organisation has complied with the process properly then they can complain to the Information Commissioner’s Office (the ICO). The ICO may launch an investigation in response to the complaint. It will take management time (and possibly legal fees) for the organisation to respond to the ICO’s enquiries.

If the ICO finds that the organisation has not followed the law then it may give binding instructions on how the organisation should correct its procedures and documentation. If there has been a serious breach of the law then the ICO might use its other enforcement powers, such as publishing a public notice about the breaches (which can lead to reputational damage) and/or issuing fines.
It’s therefore worth investing the time to ensure you respond to subject access requests properly and promptly first time around!

So that brings us to an end of our brief foray into data protection and subject access requests. Thank you to Ryan for being our first guest star on the employment podcast and thank you to you all for joining us too. We hope you found it useful. For further information in relation to the issues we have discussed today, please contact us via our website www.parissmith.co.uk or find us on LinkedIn.

How I’ve helped our clients

Crondall Energy enlisted the immigration services of Paris Smith, namely Tabytha Cunningham and Charlotte Farrell, to advise and assist firstly with a sponsorship licence application, and also with the application of a skilled worker visa. Charlotte and Tabytha are both extremely professional with excellent communication skills. From the outset, their communication has been both thorough and easy to understand. They are very quick to respond to any queries and we are totally confident that the advice we are receiving is both accurate and up-to-date. The process for application of both a sponsorship licence and a skilled worker visa is extremely complicated and requires high attention to detail and having the assistance of Tabytha and Charlotte has proved invaluable.

Jo Whitlock, HR & Office Manager
Crondall Energy

I received excellent service and advice from Tabytha and Charlotte, especially given the time constraints of the issue that we were looking to resolve. Communication was prompt and easily understood and we ultimately achieved the desired outcome.

Oat Services Ltd - Employment & Immigration Law Advice

In recent months I have the pleasure to be assisted by a good number of the Paris Smith legal teams on a range of matters including sale of business, IPR and employment matters. Referring to the most recent experience with a company employment matter, I would commend Charlotte and Tabytha most highly for the service they provided to me. They give clear information so one knows what the legal position is and support that with a pragmatic commercial approach to help resolve the real life situation. I felt much more comfortable after speaking with the Paris Smith Employment team and would like them to be our preferred partner in relation to these legal matters.

Sandra Walmsley, Finance Director
Aspect Ecology Ltd

As a relatively new client of Paris Smith I have been incredibly impressed by the professionalism and quality of advice given to me, and the company, by both Charlotte and Tabytha.  Assuming a pivotal role within a global company has presented issues in terms of Brexit and the movement of inter company personnel.  Engaging with Charlotte and Tabytha early has allowed us to navigate the legal complexities of Visa issuance and sponsorship with ease, something we would have struggled with without their sound advice. Explaining complex legal jargon in a simple and clear format along with an enthusiastic and professional approach has helped us immensely and it has, and will continue, to be a pleasure to be a client of Paris Smith. A first class service!

Andrew Pollington, Head UK Support Services
Tekever Ltd

Our organisation has been working with Paris Smith for a few years, but I was first introduced to Charlotte Farrell and Tabytha Cunningham in the summer of 2021 when we applied for a Skilled Worker Sponsorship Licence. Having never worked in this area before, and finding the UKVI website and CoS application process confusing, we asked for their help. They made everything so much easier for us – from writing some of the wording needed to back up our case to producing a step by step guide on what we needed to do from start to finish. They have helped us with everything we have needed – CoS allocation increase, priority applications, creating and assigning a CoS, a new licence application due to change in circumstances, the list is long. They are extremely knowledgeable, very patient and always respond to emails or phone calls quickly. They provide an absolutely excellent service with a smile and I cannot recommend them highly enough.

Sarah Farley, Head of People
Cloud21 Limited

I have been a client of Paris Smith's Employment law department for several years, including for the resolution of a challenging worker-related dispute. The team has been superb throughout, far exceeding my expectations in terms of their professionalism, proactiveness, pragmatism and generous spirit, often going above and beyond in their service delivery to bring the matter to a far better than hoped for conclusion. At a personal level, everyone I dealt with was delightful too. Paris Smith will certainly remain by 'go to' law firm for employment and other legal advice!

Dr Katja LH Samuel, Chief Executive Officer
Global Security and Disaster Management

Your advice and guidance on a recent employment matter was extremely helpful, to the point and gratefully appreciated. I would be happy to recommend Paris Smith who were efficient and thorough in the legal service and advice offered. I felt relieved and secure with the support, counsel and your professional manner throughout.

Naz Lewis-Humphrey

I have recently absorbed a new HR role and have needed to get reassurance, advice, confirmation from Paris Smith on a number of different situations over that past 5 months including, redundancies, resignations and terminations, salaries and hourly rates for part time employees, diversity in the workplace. Charlotte and Tabytha have been brilliant and so supportive with me stepping into this role and have reassured me that what I have learnt on my HR studies and what I do on a daily basis, is correct and as advised for best practice. They are quick to respond and happy to help in any way. They are both down to earth but at the same time providing a quality service

High level employee - Construction Industry

PHL have worked with Paris Smith since 2016 who have provided exceptional employment law advice and support over the years. They have provided various advice on employee case management situations, self-employed status, union, TUPE, IR35 and NHS AFC legislation advice to name a few. I find them a professional, friendly, approachable team who provide a quick turnaround on support and advice. They are always quick to respond in a professional manner, breaking down the complexities of employment law and regulations talking through possible options. We also enjoy the regular HR seminars they invite us to which consist of employment law updates, case study examples and a chance to meet the team.

Bobby-Anne Payne, HR Manager - Partnering Health Ltd
Partnering Health Ltd

I needed employment advice regarding a settlement agreement and was recommended by another solicitor. Charlotte offered swift advice within a very challenging time scale. I found the combination of the professionalism, speed and pragmatism shown by Charlotte to be excellent. She really did care about my situation. Charlotte Farrell was simply first class.

Name withheld

Charlotte has gone well beyond what could reasonably be expected to bring an employment matter to a timely conclusion. Throughout the process she has been very helpful, understanding and friendly, provided clear and succinct advice, and regular updates.

Name withheld

I was recently made redundant and needed legal representation. I have found Charlotte to be very helpful and hardworking, checking for my understanding throughout and working to ensure she met what was an incredibly tight deadline. Overall this has made a difficult situation much less stressful. I would like to thank Charlotte for her expertise and her personable approach, allowing me to wrap up a difficult time with a satisfactory outcome.

Name withheld

I have receievd a reliable, professional and value for money service from Paris Smith for a number of years. Paris Smith are able to offer advice, guidance and have assisted me with both my personal and business requirements, and supported me through any necessary action required to be taken. Paris Smith have experts within their team of professionals who have, in their specialism, assisted with my personal and business activities, conveyancing, Will and associated end of life planning, probate, employment issues and tax planning. Their professional advice, suggested course of action, clearly explained and if required quickly executed. I shall continue to use their excellent services in supporting me with my business and any personal issues I may have in the future.

Julie Harrison, MD - The White House (Curdridge) Ltd
The White House (Curdridge) Ltd

Charlotte and Tabytha were an amazing source of support, guidance and expertise during one of the most challenging times of my employment life. Their commitment and willingness to go the extra mile to help me was so valued and appreciated. We concluded the case with me securing enough financial recompense to cover my losses which meant so much to me and my family. I would not hesitate to highly recommend the support of Charlotte and Tabytha for any employment tribunal case.

Former National Development Manager - Health and Social Care sector

Paris Smith is a fantastic company with departments for all areas. Not only are they a fast responsive team they are good at what they do and are easy to communicate with. They have helped review all of my employment documents across three companies, tying them all up together with the correct documentation and making it easy for me to move forwards with minor editing. They were sympathetic to my new company as this only had start up funds and so I was working to a budget!. I found them willing to help me, and were interest in my business and projects. Really trying to understand and suggest what was best for me. I am continuing to work my way round the departments so all areas of business meet current legislation. I look forward to future business.

Anthony Hughes, Director
Window Repair Specialists

Outstanding service provided by Tabytha Cunningham and her colleague Charlotte Farrell. I would highly recommend Tabytha as she provided exceptional and first class legal advice on an elongated dispute with my previous employer. Tabytha is very professional and her attention to detail is astounding. Tabytha is honest, hardworking, trusted and a brilliant individual working for a well sought after legal company - she is a real credit to Paris Smith LLP. Tabytha kept me in the loop and did exactly as she said she would and I was never let down. After two years I was grateful for Tabytha's tenacity and her extreme passion in her role. Highly recommended.

Daljit Kooner

Truly the most informative, relevant, and interesting course I've done. It's so useful to have the chance to hear from the law firm and HR and be able to ask any queries. Courses like this help massively in giving us the confidence and knowledge to carry out the processes correctly.

Feedback from an attendee at a recent in house training course on carrying our disciplinary and grievance investigations effectively

Charlotte & Tabytha have provided an excellent, efficient and honest service throughout with clear and regular updates and communication.

Paul Atwal