The Data Protection Act (1998)  (“the Act”) says anyone, including employers,  who records and uses personal information (“Data Controllers”) must be open about how the information is used and must follow eight principles of “good information handling”.  The Act also gives all individuals (“Data Subjects”) the right to see information that is held about them and to have it corrected if it is wrong.

The right of subject access

Under the Act employees are entitled to see information held about them on computer and some paper records.

An employee has the right to make a “subject access request” and employers must deal with it quickly.

Within a specified time limit of making a “subject access request” an employer must send to the employee:

• A copy of the information hold on them;
• A description of why this information is processed;
• Details of anyone it may be passed to or seen by; and
• The logic involved in any automated decisions.

You can if you wish, charge the employee the fee of £10.00 for supplying the information.

The Act requires that every Data Controller who is processing personal data must notify the Data Protection Commissioner of this fact unless they are exempt.  Your failure to notify when you are not exempt is a criminal offence punishable by a fine.  Even if you are exempt from notification you must still comply with the principles.