Every employer will recognise the sinking feeling which accompanies receipt of a data subject access request from a current or former employee. Not only is it a fair indicator that he is considering doing something unpleasant to you, but you face also the prospect of wading through your entire server, waist-deep in irrelevancies, to find the one document which the employee knows with absolutely certainty (whether in fact it exists or not) to constitute the smoking gun he is seeking. Is that really necessary? Do you genuinely have to have your deleted email records expensively rebuilt just to see if they contain anything at all about the applicant?
Help, or at least a degree of clarity, is at hand. Last month the Information Commissioners’ Office issued version 1 of its Subject Access Code of Practice, “Dealing with Requests from Individuals for Personal Information”. Much of this reiterates known principles about basic data subject access rights, but there are a number of potentially useful pointers for employers around the margins:-
- First, the bad news: “You should be prepared to make extensive efforts to find and retrieve the requested information… It will never be reasonable to deny access to [that] information merely because responding to the request may be labour-intensive or inconvenient“.
- "Even so“, the Code says reassuringly, “you are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information”. That begins to sound better, but it later becomes clear that this relates not to the retrieval of the information but to the practicalities of supplying copies of it to the requester. And even on that score, “We stress that you should rely on the disproportionate effort exception only in the most exceptional of cases… We rarely hear of instances where an organisation could legitimately use disproportionate effort as a reason for denying an individual access to any of their personal data“.
- The Code makes a sensible distinction between data which is archived and that which is deleted. Material is archived, it says, because the employer has made a conscious decision that it may be needed at some point in the future. It is implicit in that determination that access can be made to it and therefore to particular documents or electronic files relatively easily. “To the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a subject access request“.
However, the position in relation to deleted information is different. For these purposes, data is “deleted” when you try to permanently discard it and you have no intention of ever trying to access it again (i.e. not merely because it has been moved to a user’s “deleted items” folder, which is not really deleted at all). The ICO’s view is that “If you delete personal data held in electronic form by removing it as far as possible from your computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean that you must go to such efforts to respond to a subject access request. … The Commissioner does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management“.
Do note the words “as part of their general records management” – if it became clear that particular electronic documents or emails had been deleted specifically to avoid their disclosure via a DSAR, the ICO could order the employer to incur whatever cost was required to restore them.
- It is always worth asking the data subject requester if he can provide you with information to help you locate any particular information he is seeking – a time window, perhaps, or parties to correspondence, or in relation to a particular subject matter, etc.
- The certain knowledge that whatever the employee is planning to do with the information, you will not like it, is not a good reason for declining a DSAR, nor is the existence of parallel litigation under which overlapping disclosure obligations may arise. The ICO guidance makes it clear that the key is making responses to DSARs as painless as possible is the efficiency and robustness of your data retrieval systems and not any ability you might think you have to duck them by claiming it all to be just far too difficult to deal with.
The superficially obvious solution, i.e. just deleting everything as soon as you are no longer using it, should be resisted. In cases where discrimination or equal pay claims can cover ground many years into the past, retaining all those old pay documents, performance assessments, disciplinary records and promotion/termination rationales is still unfortunately the safest approach.