Significant Rise in Employee DSARs Since May 2018
Since the introduction of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) last year, evidence points to a sharp increase in the number of individuals in the UK using data subject access requests (DSARs), a request exercising the right for individuals to obtain a copy of their personal data, to obtain information from their employer or ex-employer. By way of example, in the first five months of 2019, we have supported our clients with nearly as many DSARs as for the whole of 2018. We have seen a particular increase in DSARs being used where an individual is facing a disciplinary or performance management and wants to cause problems for the business or to get advance disclosure prior to raising a claim.
Dealing with DSARs can be challenging, costly and time consuming. During April of this year, we surveyed 90 companies with operations in the UK to better understand their experience of DSARs since the GDPR and the DPA came into force and the different ways in which they are coping with this challenge.
The companies surveyed ranged in size from 26 to 16,000 employees across a number of industry sectors, including aerospace and aviation, building and construction, charity, consultancy services, education, food and drink, financial services, hospitality and leisure, information technology, logistics, manufacturing, media and creative, retail and wholesale, telecommunications, and waste and recycling.
Our key findings were:
- 7 1% (64/90) of all organisations surveyed had experienced an increase in the number of employee DSARs since May 2018
- O f the 64 organisations that had seen an increase in DSARs, 67% had experienced an increase in costs associated with the process of responding to DSARs
- Also, of those 64 organisations:
- 8 3% have put in place new guidelines and procedures
- 27% have acquired new personnel to deal with this growing trend
- 2 0% have adopted new software/technology
Just under a quarter (24.4%) of all respondents noted that DSARs involved employees seemingly just wanting to know what the organisation has on record about them. However, 65.5% (59/90) noted that they had dealt with DSARs that were connected to a workplace issue (for example, grievance, redundancy, performance management, etc.), while specifically among the 64 companies identifying an increase in DSARs since the GDPR, 92% confirmed they had dealt with DSARs connected to a workplace problem.
The survey indicates a significant rise in DSARs across industry sectors, with companies of all sizes being affected (from the smallest in our sample to the largest), and that they are mainly being used to get advance disclosure or to cause problems for the business rather than just get details of what data it holds about them.
Costly and Time Consuming
The demands placed on organisations are considerable just the initial process of identifying all the data held in respect of an individual can take weeks out of the one-month period for responding.
The survey also indicates clearly that costs have increased for two-thirds of those dealing with the rise in DSARs, which is not surprising considering the man-hours required to process a single request. Each request requires correspondence with the individual, arranging the data platform, IT searches of data held, review of potentially thousands of documents at least twice, redaction or exclusion of information that is privileged, relates to third parties or falls under another exemption set out in the GDPR, and returning to the individual along with a cover letter. For the most part, this whole process must take place within one month of receipt.
While the majority of organisations post-GDPR are ensuring compliance by putting in place new guidelines and procedures regarding DSARs, significantly fewer have hired new personnel or acquired new technology to deal with the issue. Although we are waiting for guidance from the Information Commissioner's Office (ICO) on employee DSARs, it is difficult to see this issue going away, as employees can see DSARs as a strategic tool to use where there is a workplace dispute. Given the cost implications of processing a DSAR, receiving one can often incentivise employers to settle matters more quickly. In addition, where an individual is considering bringing a claim, a DSAR gives them access to information that would otherwise not be seen by them for several months or at all if the DSAR was not raised in the first place.
Aside from the technological requirements and costs incurred in processing DSARs, in our experience, the process is rarely straightforward. Employee data is inevitably entwined with their day-to-day role. Customer information, data regarding other employees and forecasting data often crop up in the midst of the individual's personal data. Privilege is also often a trickier issue than our clients anticipate having a lawyer on copy does not automatically make correspondence privileged, nor does correspondence with a lawyer that does not relate to seeking or receiving legal advice attract privilege.
While the survey implies that individuals are more aware of their rights to put in a DSAR, in our experience, they often do not consider the prospect of their correspondence being disclosed to another individual. Many employees freely send each other emails or messages on instant messaging programmes about their colleagues in the belief those messages will never been seen. While in some cases third-party data can be effectively redacted, balancing the right of privacy of third parties against the right of an individual to access this data can raise complex legal issues that are time consuming and costly to deal with.
Complaints Have Also Increased
Not only has there been a rise in employee DSARs since May 2018, but there has also been a broad increase in complaints to the ICO when individuals have not had their DSAR dealt with in the appropriate timescale or the expected documentation has not been provided. According to the ICO, the number of complaints it has received about DSARs has more than doubled since 2016, with 9,090 recorded from 25 May 2018 to 11 December 2018 compared to 4,600 in the same six-month period in 2017 and 4,000 in 2016. In some sense, this is unsurprising, as responses now must refer to the right of the requestor to complain to the ICO, not just ask them to come back to the employer or organisation holding the relevant data with questions. The onus is clearly on a business or organisation to process a DSAR in an efficient and timely fashion, and, more importantly, in a way that complies with the GDPR.
In conclusion, our survey data reflects a trend we have experienced since the introduction of the GDPR and the DPA: DSARs are being used increasingly by individuals who are more aware of their rights, and often in the context of a workplace issue. We anticipate that this trend is likely to grow. Consequently, businesses need clear policies and procedures to enable them to deal with them in accordance with the GDPR and the DPA to avoid attracting the attention of the ICO and any subsequent enforcement action.