We were recently asked ‘can an employee see their personnel file’. This is a really important question and it’s crucial that all businesses know the answer to this. In short, yes, employees in the UK have the right to make a subject access request for their employment record.
Jump to a Section:
- What is a Subject Access Request?
- Employee Rights Under UK GDPR
- What is a Personnel File?
- Employee Consent
- Exceptions
- How to Respond to an Employee’s Personnel File Request
- Right to Request Corrections
- Need Help with HR Compliance?
What is a Subject Access Request?
A Subject Access Request (SAR) is a formal request made by an employee to access personal data that their employer holds about them. Under UK GDPR, employees have the right to request copies of their personal information, understand how it is processed, and check whether it is being used lawfully. Employers must respond to SARs within one month of receiving the request to access their personnel file. Failure to comply with SARs can result in legal consequences, including fines from the Information Commissioner’s Office (ICO). It can also lead to reputational damage for the employer.
Employee Rights Under UK GDPR
GDPR is a European regulation that remains applicable in the UK through the Data Protection Act 2018, which came into force on 25 May 2018. Under UK GDPR rules (General Data Protection Regulation), an employee is entitled to submit a request for access to any personal data about them. GDPR sets clear guidelines on the protection of personal data held on a filing system as well as data collected online. As an employer, you must comply if anyone requests a copy of their personnel file.
Under UK GDPR, employers must adhere to the following principles of data processing:
- Lawfulness, Fairness, and Transparency – Employers must process employee data legally, fairly, and transparently.
- Purpose Limitation – Personal data must only be collected for legitimate and specific purposes.
- Data Minimisation – Only necessary and relevant data should be collected and stored.
- Accuracy – Employers must ensure that employee data is accurate and up to date.
- Storage Limitation – Personal data should not be kept for longer than necessary.
- Integrity and Confidentiality – Employers must ensure data security and protection against unauthorised access, loss, or destruction.
- Accountability – Employers are responsible for demonstrating compliance with GDPR.
What is a Personnel File?
A personnel file (or employee record) is a collection of documents an employer maintains about an individual employee. It typically contains both personal and professional information, including:
- Basic Information: Name, address, contact details
- Employment Contract: Job title, salary, benefits, start date
- Performance Reviews: Appraisals, feedback, goals
- Training & Development Records: Courses, certifications, progress
- Disciplinary Actions & Grievances: Warnings, complaints, resolutions
- Attendance & Leave Records: Absences, holiday entitlements
- Health & Safety Information: Workplace assessments, accident reports
- Tax & Payroll Information: Payslips, tax code, deductions
- The purpose of maintaining a personnel file is to document an employee’s history, performance, and key employment records.
Employee Consent
Under UK GDPR, employee consent plays a crucial role in data processing. Employers must ensure that any personal data collected, stored, or shared is done so with the explicit and informed consent of the employee unless another lawful basis for processing applies. You must seek employees’ permission to keep sensitive data such as:
- Religion
- Race and ethnicity
- Political membership or opinions
- Genetics
- Trade union membership
- Biometrics
- Sexual history or orientation
- Health and medical conditions
You must keep this sensitive data more secure than other types of data.
Exceptions
There are some exceptions to an employee’s right of access to their personnel file. One exception is where disclosure of the information would reveal personal information about a third party who can be identified from the information. In this case, you will have to find a solution that supports the employee’s right to view their information while also protecting the privacy of the third party mentioned.
In this case, you should seek either to withhold certain information in order to conceal the identity of the third party or, if this is not possible, to seek his or her consent to the disclosure of the information.
The employer should also disclose the data in the personnel file if it would be reasonable in all the circumstances to do so without the consent of the third party. What is reasonable will depend on the duty of confidentiality owed to the third party, any steps that the employer has taken to seek his or her consent, and whether the third party is capable of giving consent or has expressly refused consent.
Training managers to handle personnel file requests properly is essential in ensuring compliance with GDPR and data protection laws. Without adequate training, there is a risk of mishandling sensitive information, which could lead to legal and financial repercussions.
How to Respond to an Employee’s Personnel File Request
Under GDPR, employers must respond to a subject access request (SAR) within one month. If verification of identity is required, the timeframe starts only after the necessary details have been received.
Step-by-Step Guide:
- Acknowledge the Request – Confirm receipt of the request via email or letter, including a reference number.
- Verify Employee Identity – Request proof of identity (e.g., passport, driving licence) before proceeding.
- Compile & Review the File – Gather the relevant documents and ensure that any exempt information is redacted or excluded.
- Provide the Personnel File – Deliver the file in the format requested by the employee (hard copy or digital file).
- Address Follow-Up Queries – Be prepared to clarify any concerns or provide additional explanations if necessary.
Right to Request Corrections
Employees also have the right to correct inaccurate or misleading information in their employment record. If an employee disputes any record, they can request amendments or deletions where appropriate.
Need Help with HR Compliance?
Employers must handle personnel file requests correctly to ensure legal compliance and maintain employee trust. If you need guidance on HR file access policies, GDPR compliance, or handling subject access requests, get in touch with our expert team today.
