Urban75 Home About Offline BrixtonBuzz Contact

Request Denied

jakejb79

jakejb79

Laughing Cow
At a company I am currently working at two people have requested to see their HR file, one because of lack of training opportunities and one because of a current illness.

They both made subject access requests under GDPR but both deadlines were missed, I'm just wondering if this is just lazy management or does it point to something they want to hide.
 
jakejb79 said:
At a company I am currently working at two people have requested to see their HR file, one because of lack of training opportunities and one because of a current illness.

They both made subject access requests under GDPR but both deadlines were missed, I'm just wondering if this is just lazy management or does it point to something they want to hide.
Click to expand...
I wouldn't get too hung up on the exact "why" - often incompetence covers up for deliberate secrecy anyway. If they've missed the deadline that's all that's important. It means they have not fulfilled their legal requirements under GDPR.
 
jakejb79 said:
At a company I am currently working at two people have requested to see their HR file, one because of lack of training opportunities and one because of a current illness.

They both made subject access requests under GDPR but both deadlines were missed, I'm just wondering if this is just lazy management or does it point to something they want to hide.
Click to expand...

How big is the company? How professional are they? What is HR like?

I'm pretty sure my company would be unable to produce a HR file on anyone because they wouldn't know what one looks like.
 
FridgeMagnet said:
I wouldn't get too hung up on the exact "why" - often incompetence covers up for deliberate secrecy anyway. If they've missed the deadline that's all that's important. It means they have not fulfilled their legal requirements under GDPR.
Click to expand...

Id write back point out they’ve missed their 30 days, ask if they intend to fulfil this request or even to reply.

ie ask if they want a bit more time or if you should go to the ICO ?

All that’s going to happen in the first instance is the ico is going to send them a letter reminding them of their obligations, so you might as well give them a second change so you can tell the ico you’ve done this.

Alex
 
they may not have realised that the GDPR changed some deadlines and tightened them up , being charitable. Or they may just be crap. Or both. But my money is on them not being aware of their legal obligations.

If there is an information security team, speak to them, they would want to know this.
 
alex_ said:
Id write back point out they’ve missed their 30 days, ask if they intend to fulfil this request or even to reply.

ie ask if they want a bit more time or if you should go to the ICO ?

All that’s going to happen in the first instance is the ico is going to send them a letter reminding them of their obligations, so you might as well give them a second change so you can tell the ico you’ve done this.

Alex
Click to expand...
Good advice. The ICO will normally expect people to go through the internal process within the organisation before raising it with them. So in this case a reminder would be appropriate, and it is reasonable to say that they expect a response within x days or they'll report the matter to the ICO.

The ICO keep tabs on data controllers that have a history of being shit at compliance, so if this organisation is one of them they'll get more heavy if your colleagues complain.
 
Teaboy said:
How big is the company? How professional are they? What is HR like?

I'm pretty sure my company would be unable to produce a HR file on anyone because they wouldn't know what one looks like.
Click to expand...

They company is in London and the South East but with about 50 employees, apparently that when GDPR law came in the the HR manager deleted all staff records before that date..... Someone had to point out to him that probably wasn't the best idea.
 
Teaboy said:
How big is the company? How professional are they? What is HR like?

I'm pretty sure my company would be unable to produce a HR file on anyone because they wouldn't know what one looks like.
Click to expand...

All HR files are kept in a locked cupboard in the directors office, so it's just the turn of three keys (maybe they've lost them all)
 
jakejb79 said:
They company is in London and the South East but with about 50 employees, apparently that when GDPR law came in the the HR manager deleted all staff records before that date..... Someone had to point out to him that probably wasn't the best idea.
Click to expand...
Now that's not encouraging. I hope the records were reinstated, because having no records will look very off for a business with 50 employees.
 
equationgirl said:
Now that's not encouraging. I hope the records were reinstated, because having no records will look very off for a business with 50 employees.
Click to expand...

HMRC will want pay and tax records kept for 7 years at the very least. No idea what company law says about retention of other records but I would guess that they would be required to keep some records of employees for 7 years as well. Potentially very illegal.
 
BigTom said:
HMRC will want pay and tax records kept for 7 years at the very least. No idea what company law says about retention of other records but I would guess that they would be required to keep some records of employees for 7 years as well. Potentially very illegal.
Click to expand...
The GDPR act does specify some limits. For example, if someone applies for a vacancy but is unsuccessful, there's a limit to how long you can keep that record for. All a general deletion would do is highlight that the company is ignorant and might be in breach elsewhere.
 
equationgirl said:
The GDPR act does specify some limits. For example, if someone applies for a vacancy but is unsuccessful, there's a limit to how long you can keep that record for. All a general deletion would do is highlight that the company is ignorant and might be in breach elsewhere.
Click to expand...

but if the deletion included deleted worked hours/wages/tax records then this would breach HMRC rules about retaining financial records for 7 years.
 
BigTom said:
but if the deletion included deleted worked hours/wages/tax records then this would breach HMRC rules about retaining financial records for 7 years.
Click to expand...
Indeed. So before anything was deleted there should have been a plan made identifying what the had, what needed to be kept and what didn't. It's recognised that different records need to be treated differently within the Act, and that other regulations might trump the GDPR, in effect, like the tax ones.
 
You must log in or register to reply here.

Similar threads

co-op
"Salary range" of 20% - how do you justify your request?
Replies
17
Views
742
trabuquera
trabuquera
eatmorecheese
Appealing against sacking. Request for support
Replies
26
Views
1K
Chilli.s
Chilli.s
moody
DBS Cert v Subject Access Request?
Replies
10
Views
833
Big Bertha
Big Bertha
RubyToogood
Job applications/invisible disability/request for reasonable adjustment
Replies
12
Views
889
equationgirl
equationgirl
R
Was I unreasonable to deny
2
Replies
31
Views
1K
clicker
clicker
Back
Top Bottom