Some DSARs can be wonderfully straightforward:
“Can I have a copy of my personnel file?”
“Absolutely, here you go”
“Can I have a copy of the notes from my appeal hearing?”
“Of course, all yours. Any time”
However, a large number of DSARs submitted by employees are far more taxing:
“Can I have all personal data you hold about me since I started working here 10 years ago”
“Erm” [panic sets in, cold sweat envelops HR Manager.]
Dealing with an employee’s DSAR takes time. Often, a great deal of time. As referenced in our previous blog piece, an initial search can throw up tens if not hundreds of thousands of emails/documents, each of which will need to be reviewed by the employer to ensure that it is not disclosing information that should be withheld, for example the personal data of a third party. In such circumstances, is the employer really required to review all, say, 20,000 emails or can it limit its search on the grounds of proportionality?
In the Data Protection Act 1998’s final days in 2017, we finally received clarity on this point in the cases of Dawson-Damer v. Taylor Wessing LLP, Ittihadieh v Cheyne Gardens and Deer v University of Oxford. Those cases focused on the provision in the DPA98 that the personal data sought should be supplied unless this would involve “disproportionate effort”.
They confirmed that under the old DPA98 the “disproportionate effort” test applied to the search as well as the supply of the results. While the principle of proportionality could not justify a blanket refusal to comply with a DSAR, it could limit the efforts that a data controller must take in response. Further the “obligation to search is limited to a reasonable and proportionate search”, and is not an “obligation to leave no stone unturned”. Off the back of these cases, the ICO updated its Code of Practice.
The big (and as yet unanswered) question is whether this same test applies since the GDPR came into force.
On the one hand, there is no longer any reference to “disproportionate effort” in the DSAR sections of the GDPR or the Data Protection Act 2018 (unless, strangely, the request is made against the UK Intelligence Services – just saying). Therefore, on the face of it, there is no longer any legislative basis on which to limit a search on the basis of proportionality.
On the other, however, Recital 63 of the GDPR allows controllers of a large amount of personal data about the DSAR-maker to require the employee (in this case) to specify the particular information or processing activities to which their request relates. There is no specific guidance yet on this Recital, but it would appear to suggest that, in the example above where we have 20,000 emails referencing the individual’s name, we can go back to him and ask him for further specificity about what information he is actually after.
The ICO’s website currently goes one step further by stating that the period for responding to the request begins only when you receive this additional information. Should the DSAR-maker not provide the required clarification, the ICO website confirms that you must still endeavour to comply with the request by making “reasonable searches” for the information covered by the request. Therefore, in such circumstances, should the individual have put in the DSAR off the back of their redundancy for example, the employer may be permitted to incorporate keyword filters designed to elicit all personal data connected to his redundancy process. However, there is no obligation on the requester to accept that limitation as his DSAR might just possibly in theory arise not from his redundancy but from a genuine interest and concern in how his personal data has been processed by the employer. In such a case it would risk having to repeat the search without those filters.
In addition, the 2017 cases were in part decided on the basis of the EU’s general principle of proportionality, i.e. that legislative measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued by the legislation in question and that the disadvantages caused must not be disproportionate to the aims pursued. This principle still permeates the GDPR-world we now operate in and so it is reasonable to conclude that should this issue come before the courts, rulings similar to Dawson-Damer and Ittihadieh could be made.
Of course, if the DSAR crosses the threshold into being “manifestly unfounded or excessive” (which is for the employer to demonstrate), this could justify a refusal to comply altogether or your charging a (reasonable) fee to comply. It would seem that this test replaces the old disproportionate effort test from the DPA98 and is arguably a higher bar but how exactly this will be interpreted by courts and the ICO is yet to be determined. This new test applies to the request, not to the controller’s effort, though obviously the latter will need to be taken into account in evaluating the excessiveness of the request. In any event, this test may help employers to manage the request efficiently and provide information only to the extent required.
Finally, it is important to remember that the ICO would likely take a dim view of any argument that the employer should be able to narrow the search parameters just because of the cost of complying, or even the fact that it would take 200 hours for HR to comply with the request. The key issue at stake is that, should you be required to review 20,000 emails, you would come across the (often sensitive or confidential) personal data of a large number of other employees to whom you also owe a duty under the same data protection legislation. Reviewing all 20,000 emails may therefore be viewed by the ICO as a disproportionate invasion of the privacy rights of those individuals.
Again we await further guidance, including the Information Commissioner’s updated Code of Practice on DSARs. Our recommendation in the meantime is to assess your search parameters carefully and bear in mind the duty you owe to other employees/customers, etc., before undertaking any review. Should you require more information from the DSAR-maker to help locate the data he requires, you should enter into a dialogue with him with a view to agreeing a more focused search which better serves the privacy rights of those third parties.
What should you do now?
In the meantime, it is wise to seek specialist help.