In recent years, employers have seen an overwhelming rise in data subject access requests ('DSARs') from their employees as a tactical move in workplace disputes and this is only set to continue. Responding to DSARs takes up considerable time and administrative resources which could be better spent elsewhere, and we have increasingly been advising employers on how to navigate the fine line between processing their employee's requests efficiently and remaining fully compliant with complex data protection legislation.
DSARs in Employment
An individual's right to make a DSAR to obtain the information an organisation holds about them has long been an integral element of UK data protection legislation. However, as information technology has advanced, the vast increase in electronic data held relating to employees means that processing DSARs is now a far more onerous task for employers than was ever envisioned.
In recent years, this has led to a rapid rise in DSARs from employees involved in ongoing workplace disputes who recognise that the cost and administrative burden this places on their employers can seriously increase their willingness to reach a settlement, or a settlement on more favourable terms.
However, with the growing inevitability of receiving employee DSARs in such situations, employers are increasingly less inclined to agree a settlement just to avoid the costs and administrative burdens of complying with DSARs and are instead looking for ways to respond with improved efficiency.
Difficulties with Compliance
In the year to March 2023, the Information Commissioner's Office (ICO), the independent body responsible for upholding information rights in the UK, received 15,848 complaints regarding DSARs. This casts into focus the difficulty of remaining compliant with data protection law when responding to DSARs.
Further, as the ICO may take enforcement action for non-compliance, including enforcement notices, reprimands and fines, and the civil court may order compliance, and potentially compensatory awards, it is vitally important to navigate these difficulties to ensure that DSAR responses are fully compliant.
The following are some of the main difficulties faced by employers when responding to employee DSARs:
Time to Respond
A DSAR must be dealt with without undue delay, but within one month of being received at the latest. It is, therefore, important to note the date upon which the DSAR is received to avoid missing the deadline to respond one month later.
The one month period for response may be extended by a further two months where the DSAR is particularly complex. In such cases, the employee must be informed of the extension, stating the relevant reasons, as soon as possible within the initial one month period. A DSAR will not necessarily be complex just because a large volume of data is involved so it is important to consider the potential complexity of each individual DSAR carefully.
Where an employer holds large volumes of data relating to the employee, it may be necessary to discuss narrowing the scope of the DSAR with them, to focus the search on the information they wish to receive. Not only will conducting too broad a search incur unnecessary costs, it also may not be possible to complete the search within the period for response whilst also remaining compliant with the ICO's requirements.
Identifying Relevant Personal Data
Under the Data Protection Act 2018 ('the Act'), personal data is any information relating to an identifiable individual. This extremely broad definition covers data referring to an individual by which they may be identified either directly or indirectly.
Having located the employee's potential personal data, consideration must turn to whether it constitutes personal data under the Act. Data can refer to or be linked to the employee without relating to them if it is about a separate topic, such as in day-to-day business communication.
Identifying Exempted Data
Further, when assessing the relevance of personal data, any potential exemptions to the right to access personal data should be considered, as data falling within an exempted category will not be disclosable. The most commonly encountered form of exempted data will be other peoples' personal information where it appears alongside that of the employee making the DSAR. In such cases, caution should be exercised to ensure that the personal data rights of other individuals are not breached inadvertently.
How We Can Help
We can provide an expert view on a difficult area of law so that employers will be well informed and fully prepared when an employee DSAR is received.
The ICO's guidance makes clear its expectation that employers should have DSAR policies in place covering the processing and accessing of data, alongside parameters covering what employers may use their IT systems for. We can advise with drafting DSAR policies and ensuring they remain up to date.
Further, our specialist DSAR team can help to:
- make the process more efficient whilst complying with the requirements of the ICO;
- manage data and engage with the ICO on your behalf regarding what is a reasonable search;
- assist with narrowing the scope of the search to reduce the results;
- define relevant personal data;
- identify exempted data and ensure it is not disclosed; and
- set up secure data transfer rooms for processing and disclosure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.