In our last head-2-head, we asked if procedural rules in the office should be relaxed and it seems a majority of you believe that the work place is for work, with 67% saying that rules should not be relaxed and 83% saying you had no plans to do so. It is good to have some objective ammunition for me to use against anyone who accuses me of being a killjoy, so thank you all for that. In a result with which I fundamentally disagree, however, a large majority of you also suggested table football rather than table tennis in our large and currently empty office entrance hall – surely the most perplexing result in our series of head-to-heads so far.
As for today’s head-to-head, employers are used to employees who face disciplinary proceedings hitting back with a data subject access request. This forces the employer to find, process and analyse potentially thousands of emails within 40 days. The Data Protection Act is now 17 years old - is it fit for purpose? Is there still a legitimate interest in an employee having access to their personal data or has the whole system opened itself up for abuse? For the full debate, see below.
The Data Protection Act 1998. This says it all, the Act dates from the last century. When it was drafted, many workplaces had limited IT resources. Email, let alone text, was not universally used.
The Act was a fair attempt in the growing age of technology for an employee to assess what personal information might be held. It is now out of date.
Every business now operates a myriad of communications - whether documents, emails, instant messaging or texts. It is not possible to do otherwise. The mere act of employing someone will mean that data will be processed and will be stored. A subject access request now involves a vastly disproportionate amount of time and effort in order for all that information to be recovered, processed, analysed and despatched to the employee within the given 40 day period. It can bring an SME to a virtual standstill as managers and IT staff try to assess what is disclosable. Even with the use of external IT consultants, management decisions have to be made to ensure that personal data which relates to other people is removed. It is not good enough just to collect and send the data. Subject access requests have become a detailed legal exercise that can be imposed upon any organisation. Get it wrong and fines from the Information Commissioner’s Office (ICO) can be up to £500,000. The £10 administration fee is little better than a joke.
From the very beginning, things went wrong. When The Data Protection Act first came out, it seemed to make sense. Personal data was only meant to include documents which contained an 'expression of opinion' about an individual. The ICO guidance however went much wider than this. It classed personal data as information from which an individual can be identified and which 'relates to' or is 'obviously about' them. Let’s just say it is everything.
Can we really expect businesses to manage such onerous processes? With Parliament now having to decide the extent to which the state can monitor an individual’s communications and consider the correct balance between individual freedom and national security, the Data Protection Act is out of date. In 2015 electronic communications and storage are an everyday, indeed every minute, part of business. Usage since 1998 in the UK has gone up by more than a hundred fold. To review communications that 'relate to' a particular employee is just not practical.
It might be worth remembering that the purpose of a subject access request is for someone to assess whether their data is being processed and for what purpose. In practice, employees don’t give two hoots about this. Time and time again a subject access request is only used to cause maximum disruption by a disgruntled employee. This often relates to existing or anticipated litigation. It doesn’t help that the High Court has recently held that even if a subject access request is made in the context of litigation, so long as it also contains a genuine wish to assess the accuracy of the data, it is valid. Of course, all the employee needs to do is copy and paste into their request letter the standard wording. They wish to know: 'the purposes for which the data is processed, the source of the data and to whom the data has been disclosed'.
So let’s take a step back. Employees certainly need access to information if they have been maltreated. That is what employment tribunals and courts are for. These forums already have their own process of discovery. Over the last 15 or so years we have seen The Data Protection Act produce an artificial, disruptive, expensive and unnecessary discovery process of its own. It is time to put a stop to it.
Receiving a Data Subject Access Request (DSAR) is a heart-sinking moment for employers. Perhaps there are smoking guns lurking in your emails. Countless hours of management time may be consumed. Your lawyers may even be needed!
The good news is that recent case law and, critically, good information management and planning helps employers to deal with requests. DSARs help protect the rights of the individual, and they don’t need to be scrapped – but what’s needed is a fresh approach by employers both proactively and responsively.
DSARs allow individuals to check the accuracy of data held by 'data controllers'. However DSARs can be – and often are - used disingenuously by aggrieved (ex)employees to cause trouble for the employer and as a bargaining chip. Paying a £10 fee and submitting a broad-brush DSAR is easy to do, but dealing with the DSAR can be onerous. We have helped numerous clients with managing DSARs and have some tips on how to make the process less painful.
The Information Commissioner’s Office (ICO) Guidance indicates that DSARs must be answered even where onerous for the employer: however the courts are increasingly taking a more pragmatic approach. It has recently been held that it is disproportionate to require skilled lawyers to review a significant amount of historic paper and electronic documents when the applicant only paid the £10 fee.
Our top tips: planning
- Consider where your information risks are. Chatty emails? Instant messaging? SMS? DSARs don’t just relate to email – all organised paper records, electronic documents and communications are in scope.
- Introduce up-to-date policies on data handling and document creation. Breaching the policies would be a disciplinary offence.
- Keep training your staff. How do your policies and legal obligations make sense in their day-to-day work?
- Introduce and abide by data retention policies so out-of-date data is destroyed.
- Most importantly, agree an action plan so that if you receive a DSAR you’ll know what to do. Who will gather the data? Who will sift it? It can be more cost-effective and efficient to outsource these steps.
Our top tips: on receipt of a DSAR
- Get cracking: you have 40 calendar days to respond. We find there are always Bank Holidays in this period and/or the 40th day is a Sunday.
- Clarify the scope of the request if it’s very wide.
- Is there a truly disproportionate burden in complying? You may be able to limit the scope of the search considerably (although you should do what you can to comply – it would normally not be appropriate to refuse an entire request on this basis)
- Once the basic data has been gathered, sift it, or have it sifted, for disclosable, redactable or exempt data. This is where we’re usually called in.
In conclusion, data protection is here to stay. The right of individuals to check how their data is processed is fundamental and employers can expect to receive DSARs in a variety of circumstances. The well-prepared employer should have nothing to fear from such a request, either in terms of unfortunate content or management of the process. DSARs are not unmanageable - unless there are existing flaws in the employer’s procedures and policies.