Case study scenaro
You work in the HR department at Holborn Digital Supplies Ltd (the Company). A sales team leader, Rob, approaches you with concerns that one of his team members, Tian, is "fiddling expenses and sales figures". Rob tells you that Tian is a practising Ukrainian Catholic.
A formal disciplinary investigation takes place and you interview and take statements from a number of Tian's colleagues. Several raise concerns about Tian's conduct, including John who tells you in confidence that he feels intimidated by Tian, and that Tian was aggressive towards him in the past when John asked him about his sales figures. As part of the disciplinary process, you obtain sales figures for Tian's clients and for other colleagues as a comparison. You have concerns about disclosing this all to Tian. You make a decision as to what information to disclose to Tian as part of the disciplinary process, and send a copy of this to Tian together with an invitation to a formal disciplinary hearing.
Prior to the hearing, Tian is signed off from work with a stress-related condition. Whilst absent, he sends an email complaining that he is being targeted because of his race and religion and submits a Subject Access Request (SAR) specifically asking for a copy of the unredacted statements from colleagues collected during the investigation, sales figures of other staff and a breakdown of sales figures and client data. The request also asks for all documents which mention him by name and any that refer specifically to his race and religion, as well as documentation that refers to race or religion generally and any complaints about Rob's management style.
A week after you send the response to Tian's SAR, you receive a complaint from Tian about the handling of his SAR, and threatening to take civil action and to complain to the ICO. His complaint specifically asks for copies of whatsapp communications between Rob, John and another colleague, Vispi, using their company mobile phones.
The scenario above is a good example of the complex employee issues that often occur in day-to-day HR activities and which also raise or lead to significant queries in respect of the rights of employees as data subjects.
The crossover between employment and data protection law is a sensitive area, and employers will find themselves having to balance competing interests of both the business and the individuals they engage. Employment tribunals are ever more aware of data protection issues, as are staff members themselves, and the law is currently moving in the direction of increasing protection for individuals. Employers therefore need to be alert to data protection issues, to consider where they may crop up and to take steps to pre-empt and prepare for managing staff and staff data appropriately, in order to best position their business moving forward.
It is also worth noting that there is considerable scope under the GDPR for Member States to introduce their own rules on some aspects of HR data, so employers need to make sure they are up to date as local legislation is enacted.
As you will appreciate, you will need to consider the implications of employment law while keeping in mind your data protection obligations. At the outset of a disciplinary process in the circumstances set out above, you need to consider the risks around: (a) the allegations made and how those are treated; and (b) possible protected characteristics pertaining to the employee in question.
In the initial disciplinary documentation provided to Tian, you are required to provide sufficient information so that the employee can understand the charges against them. This would include details of any allegations, although employers should consider whether they could anonymise statements, for example, and redact any commercial sales information not needed for the employee to understand the charges. You may also want to consider health and safety obligations to other employees given that there are allegations that Tian has been aggressive in the past.
Dealing with the SAR
Can you avoid responding to Tian's request?
There are circumstances in which you may not have to respond to a SAR:
- if a SAR is "manifestly unfounded or excessive", you can charge a fee or refuse to respond, but in line with the emphasis on transparency and accountability, you will need to be able to provide evidence as to how you reached that conclusion and must also tell Tian of the possibility of complaining to the supervisory authority and taking legal proceedings;
- you could withhold personal data if disclosing it would "adversely affect the rights and freedoms of others" (guidance suggests that this could extend to intellectual property rights and trade secrets); and
- if Tian has made the SAR for the primary purposes of causing trouble and expense to the employer or is insisting on production of information with no conceivable value, you may be able to rely on the doctrine of abuse of rights and refuse to respond to the SAR.
Here, the SAR is arguably excessive and there are fair reasons for considering that Tian may be asking for information for reasons other than his data protection rights. That said, the ICO is likely to expect you to try to narrow the scope of the SAR, rather than reject it outright, and it is notoriously difficult to rely on the doctrine of abuse of rights, particularly where employees are concerned.
How extensive does your search need to be?
Your obligation with regard to searches under the GDPR remains similar to current requirements – searches must be proportionate, and employers are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access. You will need to review your main servers, but may also need to look at backed up data, deleted data and data held on other systems.
What information is Tian entitled to see?
Tian is only entitled to see his personal data, so consider the scope of the request but note that the concept of "personal data" is expanded under the GDPR.
Tian has, among other things, asked for sales figures and client data, as well as unredacted statements from colleagues. This is likely to include data which is not personal data, and may include data relating to other individuals.
Non-personal information falls outside the scope of the subject access request and there is no requirement to disclose it.
Make sure you identify any data which relates to other individuals and does not relate in any way to Tian ("non-relevant personal data"). You do not need to provide that and you can redact, anonymise or pseudonymise it if need be.
If the personal data is also information relating to another individual, unless that individual has consented, you have to consider whether or not it is reasonable to disclose it without consent. If it is not reasonable to disclose the information without consent, consider whether, by redacting information (in particular information that would identify the other individual), it would be possible to provide the employee with at least some of the personal data sought.
What about the texts and Whatsapp messages?
Where such communications are made using personal devices, the employer is unlikely to be able to retrieve or force employees to provide such data (in addition to which, whatsapp is also an encrypted form of communication).
Where such communications are made using work devices, the question arises as to whether the employer is a data controller or processor – arguably not, but if the employer relies on, or condones the use of these types of communications for work purposes, it is likely to see more arguments requiring the disclosure of such communications.
How quickly do you need to respond to the SAR?
The period for response to a SAR is reduced to one month under the GDPR, and sanctions for potential breaches have been increased, so you will need to deal with Tian's request swiftly. At the least, you will almost certainly need to provide further detail as to the information held about the Tian and processing that is carried out, and may need to provide further details such as the period for which data is retained, and information about Tian's rights.
Can you delete some of the more problematic data?
Absolutely not! It is an offence under the GDPR for an employer or a person employed by the employer to alter or erase information with the intention of preventing disclosure, so staff must be made aware of this as well.
Do you still have to respond where you are using a data processor for your HR data?
Yes. It's the employer as a data controller who is responsible for complying with a SAR. If the employer uses a data processor, it must ensure it has contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to the employer or to the data processor.
Dealing with the SAR complaint
It is important to respond promptly, investigate the complaint appropriately and document both the investigation and your response to Tian in these circumstances. Use this as an opportunity to review the processes, searches, search criteria and any other key aspects of your initial response, and consider whether Tian has grounds for complaint. Remember though that you are likely to be writing communications to Tian that may be presented in evidence if he decides to take matters further.
You should definitely be taking legal advice by this point if you haven't already.