Employees' ability to request a copy of their personal data and knowing how and why it is being processed is an important right in this technology and data-driven age. Heightened awareness of data privacy rights following the introduction of the General Data Protection Regulation has increased the number of subject access requests from current and former employees. Such requests may also be used as a litigation weapon by disgruntled employees.
As responding to subject access requests can be costly and time consuming, being prepared and organised can save employers considerable time and money, particularly in the context of employment disputes.
In anticipation of receiving subject access requests, employers should:
- identify a coordinator (either for the company as a whole or, where relevant, each business unit) who will be responsible for dealing with subject access request enquiries and ensuring consistent responses throughout the organisation; and
- establish a record retention policy which sets out the maximum retention periods for employee records (such records should be kept only for as long as they are accurate, relevant and necessary for the purpose for which they were collected).
Employers should carefully consider the following systems in their organisations in order to comply with subject access requests:
- centrally held HR resources (eg, personnel files, absence records, working time records and appraisal information);
- emails (including inbox, sent items and deleted items) relating to the data subject and their managers and colleagues; and
- document and manual filing systems.
Companies should prepare a checklist and template document to record any searches.
Employers must comply with and respond to a subject access request within one month.
Subject access requests from employees with long employment histories can span years or sometimes even decades. Where the request stems from a particular issue or dispute, employers should consider seeking an agreement from the employee to refine the search's scope. This allows employers to perform searches according to more clearly defined criteria (eg, timeframe, search terms and sources) and save considerable time and money.
Employers should maintain a record of the searches conducted and not forget the bigger picture. Where there is a dispute with an employee, the review serves the dual purpose of:
- identifying any exposure in the dispute; and
- ensuring data privacy compliance.
Employers should review the documents and consider if any exemptions can be relied on to limit the information provided. A consistent redaction process is required because not every document will contain the relevant employee's personal data and that of other employees may be included.
Employees are entitled to copies of their personal data along with additional information relating to its processing. Employers should always retain a copy of documents sent to their employees.
Subject access requests are becoming a common step in employment disputes. Therefore, employers should:
- have a strategy in place before they receive a subject access request from a disgruntled employee (eg, develop template documents and establish robust processes). This will save the company time and money in the long run;
- ensure that there is a tried and trusted system for conducting and recording searches; and
- train the company's HR team and managers in how to handle subject access requests.
For further information on this topic please contact Vanessa Hogan at Mason Hayes & Curran by telephone (+353 1 614 5000) or email (firstname.lastname@example.org). The Mason Hayes & Curran website can be accessed at www.mhc.ie.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.