Summary: Welcome to our new Workplace Data: Managing Risks and Protecting Information series. It’s not easy managing your workplace data. Stopping employees stealing your know-how, ensuring you monitor staff correctly and gathering evidence for a tribunal claim in the best way possible are all examples of the issues you can face. Over the next few months we’ll give you practical guidance, top tips and useful tools for dealing with problems such as these.
For our first blog in our Workplace Data series we’re focusing on the impact of recent case law developments on how employers deal with subject access requests (SARs). Here are the best practice points to bear in mind:
1. An employee’s motive for making the SAR is not grounds for refusal
Employees often use SARs as a way of getting early access to documents outside of the litigation disclosure process. Making a SAR can also be a tactic for putting pressure on an employer, given that complying with an employer’s SAR obligations can often involve a lot of work. Unfortunately the Court of Appeal this year confirmed that an individual’s motive for making a SAR does not excuse an employer from properly dealing with it. As long as the employee genuinely wants to discover what information is being processed about them or wants to check its accuracy, even if this is only a collateral purpose of making the SAR, you cannot refuse to deal with it.
2. You’re entitled to take a proportionate approach to the whole SAR process
Previously, case law suggested that an employer could only consider proportionality in terms of how the employee was provided with their SAR information, after the employer has done all the relevant searches. The Court of Appeal has now emphatically rejected this approach. Whilst proportionality cannot be relied on to justify a blanket refusal to comply with a SAR, an employer can legitimately limit its search for personal data and its response to what is reasonable in the circumstances.
3. Don’t forget to analyse whether documents contain “personal data” at all
The Court of Appeal has also recently reconciled two contradictory cases on what amounts to personal data. The key point to note is that if you receive a broad SAR requesting all documents where an individual is mentioned, you only need to disclose documents where the information is biographically significant and the data subject is the focus of the information. Applying this test can significantly limit the number of documents which are potentially within the ambit of the SAR.
4. The recipient is entitled to information, not documents
A SAR gives employees a right to be provided with information about themselves, not the right to receive documents. It is common for an employer to respond to a SAR by giving copies of the documents which contain the employee’s personal data. However, case decisions this year make it plain that there is no obligation on employers to provide copies of documents. In the context of an employee using a SAR as a litigation tactic, it may therefore be worth revisiting this approach and instead provide summaries of just the personal data in the documents. Whilst this can be more time consuming for an employer to do, it could potentially prevent the employee from gaining the intended litigation advantage.
5. If your SAR response is challenged, the court has a discretion over what enforcement order to give
If an employee brings enforcement action in the courts, alleging that an employer has failed to respond properly to their SAR, the courts have a discretion as to what order should be made. While the presumption is in favour of the employee, relevant factors in exercising this discretion include proportionality and the value of the data to the individual. Importantly, motive is a relevant factor here. For example, in one recent case, the court expressly took into account the claimant’s “bullying behaviour” when it refused to grant the order he sought. If you are faced with an onerous and potentially unreasonable SAR, it may therefore be worth considering the extent to which the courts are ultimately likely to order compliance when assessing how exhaustive your initial SAR process will be.
How will things change under the General Data Protection Regulation?
The General Data Protection Regulation (“GDPR”) will make some significant changes to the SAR process, some more onerous for employers, some more employer-friendly:
- employees will be entitled to additional information, including the envisaged period of storage of their personal data as well as details of their rights to erasure, rectification, restriction from processing and the right to object to processing.
- the somewhat pointless £10 fee will be abolished, and if a SAR is “manifestly unfounded or excessive”, employers may charge a “reasonable fee” based on the administrative costs of providing the information, or potentially even refuse to comply at all with the request. It remains to be seen as to what amounts to a “reasonable fee” and whether the prospect of a fee will act as a deterrent.
- The period of compliance will change from 40 days to one month, with the possibility of an extension of a further two months if necessary for complex requests.