The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Unlike sector specific US data protection regulations for health data (The Health Insurance Portability and Accountability Act) or finance (Gramm-Leach-Bliley Act 1999), GDPR is a regulation in the EU on data protection and privacy and applies to all organizations that store or process the personal data of individuals in the EU/EEA/UK, such as employees. The GDPR also grants employees in the EU/EEA/UK the right to access any personal data their employer holds on them. This is known as a data subject access request (DSAR) and is increasingly used in the UK when an employee is disgruntled with their employer.
Due to the law’s territorial scope, GDPR does not only apply to organisations in the EU/EEA/UK, but also to organisations worldwide including the US, as long as they offer goods or services to individuals in the EU/EEA/UK or monitor the behaviours of individuals inside the EU/EEA/UK.
In the context of employment, a data subject can include clients, former employees, existing employees and job applicants. A huge amount of personal data is collected by employers about employees during their employment and, therefore, dealing with a DSAR can be very arduous and time consuming.
However, failure for organisations to comply with GDPR can result in heavy fines which can be as high as 4% of their annual global revenue or €20 million, whichever is higher.
This article highlights 10 top tips to consider when an employer has to deal with a DSAR from an employee:
- Provide training to staff
It is crucial that staff, such as the HR team, understand what a DSAR looks like and who should be notified about it once it has been received. Training relevant staff on aspects of DSARs is crucial in order to avoid complaints to the UK’s regulator – the Information Commissioner's Office (ICO).
- Ensure you are responsible for responding to the DSAR
The GDPR draws a distinction between a ‘controller’ and a ‘processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
- a ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and
- a ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
An employer will be the data controller, so it is their responsibility to respond to a DSAR.
If you are a processor, you should handle any request you receive as outlined by the data controller. If you are a joint controller, you should have a transparent arrangement in place between you and the other controller which sets out how to deal with the request.
- Ensure you have adequate time to deal with the request
The clock starts ticking on the day the DSAR is received and the time limit to respond is one calendar month from the date you receive the DSAR, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.
You may be able to extend the time limit by a further two months if the request is complex or if you receive a number of requests from the employee. Whether a request is complex depends upon the specific circumstances of each case, however, it is important to flag that a request is not complex solely because the employee requests a large amount of information.
- Try, if possible, to narrow the scope of the DSAR
There are several ways to narrow down your searches, including asking the employee to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely timeframes they are interested in.
However, do note that an employer cannot force an employee to narrow the scope of their request, and they are still entitled to ask for ‘all the information you hold’ about them. Even if the employee refuses to provide any additional clarification, the employer must still comply with their request by making reasonable searches for the information.
- Consider whether the DSAR is manifestly unfounded or excessive
An employer can refuse to comply with a DSAR if it determines that it is manifestly unfounded or excessive. However, this is not a simple tick list exercise that automatically means a request is manifestly unfounded or excessive. If the employee genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
To determine whether a request is manifestly excessive, an employer should think about whether it is clearly or obviously unreasonable or not. Do note that a request is not necessarily excessive just because the employee requests a large amount of information.
- Conduct a reasonable and appropriate search
An employer is not required to conduct searches that would be unreasonable or disproportionate; however, the burden of proof is on an employer to be able to justify why a search is unreasonable or disproportionate.
An employer should consider the various places where data may be stored such as deleted data, archived data, back-ups, Microsoft Teams messages, Zoom messages and corporate mobile data, including WhatsApp messages. While search mechanisms for electronic archive and back-up systems might not be as sophisticated as ‘live’ systems, an employer will need to use the same effort to find information to respond to a DSAR as it would to find archived or backed-up data for their own purposes.
- Remember this is not litigation
It is important to remember that this is not a disclosure exercise in litigation. Employees are only entitled to their personal data, and that is it!
Also remember that an employer does not have to disclose everything as some personal data may be legal professional privilege correspondence or commercially sensitive information.
- Carry out a second review
Once the data has been through a first round of review, it is worthwhile to carry out a second review to ensure all the data being sent is actually personal data.
Just because the employee’s name is stated in an email or document does not necessarily mean that it contains personal data. It is vital to make sure you understand what ‘personal data’ is and ensure the same approach is applied to all data reviewed in the DSAR process.
- Allow time for redactions
It is vital to allow time to redact data that is not the personal data of the employee. This includes other peoples’ personal data and commercially sensitive information.
In respect of other people’s personal data, an employer should check if it needs to seek consent from that person. If they cannot get consent and it is not reasonable to provide the information to the employee without it, then think about redacting the data belonging to others in order to minimise any issues.
- Consider how the data will be sent to the employee
Once the relevant personal data has been reviewed and sorted, an employer must provide the employee with a copy. As a general rule, if a DSAR was made to you by email, then there’s an expectation that the reply will be by email too, unless the employee says otherwise.
Remember, the onus is on the employer to provide the information to the employee. Think about some of the ways to send an electronic file securely such as including the data on an extranet or in a password-protected file, with the password sent in a separate email.