Data Subject Access Requests – navigating employee data rights
Under the Data Protection Act 2018 employees have the right to obtain their personal data that is being processed by their employer. Making this request is known as a data subject access request (“DSAR”).
Throughout this article we signpost to the importance of properly dealing with DSARs, identify some of the common issues, and offer guidance to troubleshooting these problems.
What the process looks like
How is a request made?
Under the legislation, personal data is defined as “any information relating to an identified or identifiable living individual (‘data subject’)”. This casts a wide net when considering the information that an employee has the right to obtain. Personal data can range from basic information such as employee’s age and sex to more nuanced information such as internal communications or statements where an employee is specifically mentioned. If a DSAR has been made by an employee, they are additionally entitled to information relating to the processing of the personal data such as the purposes for which the data is being held.
The request can be made in writing, by email, or orally by the employee and the legislation does not set out any formal requirements that an employee needs to meet in order to make a request. It is therefore important that organisations have procedures in place to aid the recognition and internal escalation of DSARs.
Responding to a request
Generally, the information requested in a DSAR must be provided ‘without undue delay’ and in any event within one month of receipt of the request.
There are, however, certain scenarios where the one-month period can be extended. This is when requests are particularly complex or numerous. The extension can be for up to two months and the employer must inform the employee of the extension and provide the reasons for the delay.
Additionally, the clock can be ‘stopped’ for the purposes of the employer clarifying the information or processing activities requested by the employee. This is usually reserved for occasions where the employer holds a vast amount of data about the employee, and the clock ‘resumes’ once the employee provides clarification. Information must be provided without charge unless manifestly unfounded or excessive DSARs have been made by the employee, in which such scenario a reasonable fee may be levied.
DSARs can be time consuming to deal with. Employers should be mindful of the relevant time periods for responding and leave enough time to locate the personal data that the employee has requested.
Failure to respond to a request within the time frames, or at all, may result in a complaint by the employee to the Information Commissioners Office (“ICO”). The ICO may decide to investigate the complaint and issue an enforcement notice, which could include specific performance of the DSAR and / or a monetary penalty. Additionally, failure to properly respond to a DSAR will expose the employer to the increased risk of litigation.
Personal ‘data’ not personal ‘documents’
A misconception that employers often make is that employees requesting their personal data are entitled to the full documents that mention their details.
As an example, an employee seeking to retrieve information about internal grievances made against them may make a DSAR expecting to receive the entire suite of documentation relating to the grievance. In actuality, the employee will only be entitled to the information that is specifically about them, such as sentences that contain their personal details and / or may reference them in some way.
In providing this information to the employee who made the DSAR, relevant paragraphs or sentences can be ‘lifted’ from the documents and sent to the employee, or documents redacted to only include the personal information identified. In any case, employees are not entitled to full copies of original documents.
Dealing with data relating to another employee
Often in the employment context, data relating to one employee also contains information relating to another employee of the organisation. Disclosure of the data of the requesting employee might infringe the rights of the other or additional employees whose data is contained within that information.
In this instance, employers will need to carry out a balancing exercise considering the rights afforded to individuals under the Data Protection Act 2018, and other details such as the type of information that will be disclosed and any duties of confidentiality owed to any third-party individuals.
In order to best mitigate against breaching any third-party rights, consent should be sought from the third party that their information can be disclosed. Whilst this is not essential and there is no strict obligation to seek consent, it generally reduces the risks that are associated in disclosing third party information. If consent is not given, the employer must consider whether it is appropriate to disclose the information without consent. Alternatively, or indeed in addition, employers should consider whether third party rights can be protected by redacting certain elements of the data.
The extent of the search
Generally, when conducting searches employers should consider both electronic and ‘hard copy’ data. This includes searching servers, emails, ‘off-server’ data storage devices (such as USBs and data drives), and paper files.
The extent of the duty on employers to locate the requested data is that of ‘reasonable efforts’. Employers are expected to conduct thorough searches, but need not ‘conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information’. In evaluating this, employers should take stock of the following:
- the circumstances of the request;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
The burden of proof is on the employer to evaluate the extent of the search and justify whether it is unreasonable or disproportionate.
In order to ease the pressure of conducting laborious searches, organisations should ensure that they have robust filing systems in place where both ‘live’ and ‘archived’ data is easily accessible. Further, employers should consider whether they have a genuine business need to archive some types of employee data and should consider having defined retention periods whereby redundant data is deleted and removed from its systems.
The burden on organisations to comply with DSARs has been considered in the recent 2021 consultation on reform to the United Kingdom’s data protection laws by the department of Digital, Culture, Media and Sport (“DCMS”).
In the proposed reforms, the DCMS is considering introducing a fee structure to deal with businesses capacity to respond to requests and the threshold for responding. Further, additional measures to reduce the burden on employers may include re-introducing a nominal fee and amending the criteria of what constitutes a ‘manifestly unfounded’ DSAR.
Dealing with DSARs can often be challenging, particularly when an employer holds large amounts of personal data of its employees. Although possible future developments are on the horizon, DSARs are here to stay and there is a burden on organisations to ‘get it right’. Failure to do so can expose businesses to large fines and sanctions and so it is vital that businesses are properly equipped to deal with any employee requests for personal information.