Access to Employee Data Under the GDPR Policy

{{org_field_name}} aims to fulfil its obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) to the fullest extent. This policy states the rights of employees under current data protection laws to access any personal information that is held on them by their employer. GDPR also requires that employers need to obtain the active consent of their employees to the holding of their personal information, and to provide information on how long they need to keep it.

Principles of Data Protection

The care provider endorses fully and adheres to the six principles of data protection as set out in the Article 5 of GDPR.

  1. Data will be processed lawfully, fairly and in a transparent manner.
  2. Data will be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.
  3. Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  4. Data will be accurate and, where necessary, kept up to date.
  5. Data will be kept for no longer than is necessary for the purposes for which it was collected.
  6. Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Employees whose roles involve access to personal data must follow these principles at all times when processing or using employees’ personal information.

Data Security

All employees whose roles involve access to personal data are responsible for ensuring that the data they hold is kept securely and that it is not disclosed, whether accidentally or otherwise, to any unauthorised third party.

Personal information should be kept in a locked filing cabinet, drawer or safe. If it is kept electronically, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer or safe.

Any unauthorised disclosure will normally be regarded as a disciplinary matter, and may be considered gross misconduct in some cases.

Access to Personal Data

  1. GDPR permits employees to have access to personal data about them held by an organisation. This Act requires {{org_field_name}} to respond to requests for access to personal data within 40 days.
  2. Details of an employee’s personal data are available upon request in line with the principles of GDPR (see paragraph 1, above).
  3. Employees are required to read this information carefully and inform _______________ at the earliest opportunity if they believe that any of their personal data are inaccurate or untrue, or if they are dissatisfied with the information in any way.
  4. GDPR gives data subjects the right to have access to their personal data on request at reasonable intervals. {{org_field_name}} believes that complying with a request for a copy of the data annually will satisfy this requirement. Should employees wish to request access to their personal data, the request must be addressed to _______________. The request will be judged in the light of the nature of the personal data and the frequency with which they are updated. The employee will then be informed whether or not the request is to be granted. If it is, the information will be provided within 40 days of the date of the request.
  5. In the event of a disagreement between an employee and {{org_field_name}} regarding personal data, the matter should be taken up under {{org_field_name}}’s formal grievance procedure.

Additional Clause(s)

  1. Where employees make additional requests for access to their personal data which are granted, a fee of £_______________ may be charged which must be paid to _______________ before a copy of the personal data will be given.

In the interests of openness and fairness, {{org_field_name}} will provide copies of personal records held manually to employees on _______________ each year. The procedure which applies to computerised data will apply to such manual files.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}

Reviewed on: {{last_update_date}}

Next Review Date: {{next_review_date}}

