Employee Data Privacy

United Kingdom - Employee Access Rights

 Download as a PDF

Do individuals have the right to access their personal information?


Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.

Employers are required to provide specific information to employees, including the following information:

  • the name and details of the organization;
  • the purposes of the processing;
  • the details of transfers of the personal data to any third countries or international organizations (if relevant);
  • the source and the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to: request rectification or erasure of personal data; request restriction of processing data concerning the data subject; or, to object to such processing;
  • the right to lodge a complaint with a supervisory authority.

If relevant, the following information should also be provided:

  • the details of the existence of automated decision-making, including profiling;
  • the right to withdraw consent;
  • the name and details of the organization’s representative; and
  • the contact details of the organization’s data protection officer.

Every person may directly request that the data be corrected, completed, clarified or erased. Requests can be sent directly to the data controller or to any other actor in the chain of processing. Processors and sub-processors are obligated to inform the data controller of requests and can only proceed with the request under the controller’s instructions. Therefore, the processor shall, whenever possible, assist the data controller with data subjects’ requests.

As a general rule, the access request shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee may be charged. Fees should into account the administrative costs of providing the information or taking the action requested.  

Requests must be answered within one month of receipt of the request, but can be extended by two months if the request is very complex. Any delay should be justified and accompany the request response. The format of the response should be based on the means used to make the request, unless otherwise requested by the data subject. In other words, if a request is emailed, the response should be via email unless the individual requests a mailed letter.  

Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. However, a reasonable proof of identity is always recommended. Every person may contact the UK Information Commissioner’s Office (ICO) to receive assistance in the exercise of his or her rights (particularly if the right of access has been denied).


HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk