Under the Data Protection Act your client is the Data Controller, as they collect and manage the information. You are merely an outsourced service provider, and as such are a Data Processor.
The ultimate responsibility for the data lies with the client (as the Data Controller). Therefore it is their decision whether to allow access to the data to individuals. Your role as a Data Processor is to follow the instructions from the Data Controller.
Of course you may have an agreement with the client to allow you to speak directly with employees, and if that is the case it should be covered by your engagement letter.