organisation is large, you
check with a random sample of workers that they:
are aware of this information;
regularly review and, where necessary, update your privacy information. You
new uses of people’s personal information to their attention before you start the processing.
Do workers have a right to access their employment records?
Yes. The right of access is commonly referred to as a subject access request (SAR). It gives someone the
right to obtain a copy of their personal information from your organisation. This includes where you got
their information from, what you’re using it for and who you’re sharing it with.
There are no formal requirements about how the request is made. A SAR can be made verbally or in
writing, including by social media. Workers can make requests to any part of your organisation, and they do
not have to direct it to a specific person or contact point. However, you
have a designated person,
team and email address for SARs. You
set up a specialist portal or process for your workers to help
them make SARs efficiently and to help you to recognise and respond to them.
Workers are especially likely to exercise their right to access their employment records during grievance or
disciplinary proceedings, or in the case of dismissal. You
make sure that managers in your
organisation are aware that a worker going through a disciplinary or grievance proceedings still has the
right to access their personal information.
respond to a SAR from a worker without delay and within one month of receiving the request.
extend the time limit for responding by up to two months if the SAR is complex or if
they have sent you a number of requests.
If you have a large amount of information about someone, and their request is not clear, you can ask them
to specify the information or processing activities their request relates to. In these cases, the time limit for
responding to the request is paused until you receive clarification, although you
the supplementary information you can do within one month.
You may have outsourced some of your processing to another organisation that holds personal information
on your behalf (and you, as controller, do not hold that information). As a controller, you are still ultimately
responsible for complying with SARs for employment records, not your processor.
help you meet your obligations for SARs and you
agreement with them. The processor
search for this information and, if necessary, give you a copy, if
How to write a privacy notice and what goes in it
– guidance for small to medium sized enterprises
16 October 2023 - 0.0.23
16