Guide to responding to a Data Subject Access Request
As an employer, you must comply with a data subject access request without undue delay and usually within one month of receiving the request. This time limit may be extended in exceptional circumstances by a further two months if the request is particularly complex or time-consuming.
Personal data is information that relates to an identified or identifiable individual. For example, this could include their name, identification number, location data, or an IP address or cookie identifier. In certain circumstances, it can also include specific characteristics of that person (e.g. physical, mental, economic or social characteristic).
The majority of personal data will be held on the employer’s main servers, however, it may also be held on backup servers, hard drives or mobile devices.
Under the GDPR, the old £10 fee was abolished so now you can only make a charge if the request is “manifestly unfounded or excessive” in which case you can charge a reasonable fee or refuse to respond altogether.
What employee data can you withhold?
You do not always need to hand over every single piece of personal data.
There is no obligation to comply with a DSAR in relation to:
Legal professional privilege does not apply to documentation between your business and an HR consultant (internal or external to your business) or given by in-house legal counsel where the dominant purpose of its creation was not current or potential litigation.
So, for example, if you are thinking about exiting an employee and you are advised on the process by an HR consultant, any communications (some of which may be highly detrimental to your case) may have to be disclosed if the employee makes a DSAR. They may also have to be disclosed in any litigation.
The safest way to protect your communications is to instruct an employment lawyer to advise you on the possible risks to your business of exiting the employee so that legal professional privilege will attach and protect such communications.
The growth in the nature and quantity of data held by employers about their staff has made compliance with subject access requests increasingly onerous. Understanding from the outset how to respond to such requests is crucial as failing to comply within the usual one month time limit can expose your business to a claim for compensation, enforcement/criticism by the Information Commissioner’s Office (ICO), Court or tribunal.
Conversely, inadvertently going beyond what is legally required is likely to waste your time /resources and may result in you exposing your business to unnecessary risk by giving the employee material that could be used against you.
Obtaining legal advice as soon as you receive a request and planning how to respond and process that request is likely to save you significant amounts of management and administrative time, control your costs and risk, and prevent the provision of material that could properly be withheld.
Here are our top tips for dealing with requests:
Although a request will normally be in writing, it can also be made verbally. You should not try to delay (or ignore) dealing with a request on the basis it does not mention the Data Protection Act 2018 or the General Data Protection Regulation (GDPR) or because it does not explicitly state it is a subject access request. A subject access request does not have to include either, it just has to be clear that the individual is asking for their own personal data. Similarly, you cannot require the employee to use a specific form/document to make a request. We advise employers to have a Privacy Notice in place for their employees which sets out the preferred process for making a subject access request.
Always diarise to deal with a request well in advance of the one month deadline. Missing the deadline will be looked upon unfavourably by the ICO, Court or Tribunal. Make sure you leave time for checking any data obtained from your searches as often legal input will be needed in deciding what has to be disclosed and what can be excluded or needs blanking out.
Be sure of the applicant’s identity
You should ensure that you are certain of the applicant’s identity before you provide any personal data. If you have any doubts about the identity of the individual, you can ask for more information from them to confirm their identity. The period of responding to the subject access request begins from when you receive the additional information.
The inadvertent or wrongful disclosure of personal data to the wrong person is treated extremely seriously by the ICO.
Third party request
If you receive a third party request on someone else’s behalf you should obtain satisfactory written evidence of their authority from the subject of the data before proceeding. You should seek legal advice if you are uncertain whether you should proceed.
The applicant is entitled to copies of their personal data held by you. The concept of “personal data” is not static – the scope of the term has changed over the years – and the Courts, EU, and ICO all have different interpretations.
The obligation on you is to carry out a reasonable and proportionate search for the applicant’s personal data. There is no requirement to ‘leave no stone unturned’. You cannot refuse to check for any data merely because responding to the request may be labour intensive or inconvenient but you can push back if the request is manifestly unfounded or excessive. So for example where the request and related grievance is surrounding a particular event and the applicant asks for all their personal data over many years since they started you may be able to seek to limit this to the period around the date of the event. That said you should always provide a full copy of the personnel file (subject to any applicable redactions).
In certain circumstances you can refuse to act on the request if it is manifestly unfounded or excessive e.g. it is a repeated request. If so, you must tell the employee without delay and at the latest within one month of receipt of the request and give reasons for not taking action. Employers must also tell the employee of the possibility of complaining to the ICO and taking legal proceedings. However, where possible, employers should first try to engage with the employee and seek to limit the request.
As above, certain data is exempt from a request. In particular personal data processed in connection with management forecasting or planning to the extent that complying with a request would prejudice the conduct of the business. Similarly, you do not need to provide material that is subject to legal professional privilege. There are several other categories of exemption including data which also relates to third parties.
There is no obligation to provide an original document (e.g. a letter) containing personal data – if the information constituting personal data is contained in the document a copy must be supplied.
The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (e.g. on paper or disk).
The obligation to provide information in an intelligible form means that it must be understandable to the “average person” not that it is intelligible to the particular individual. Accordingly, there is no obligation to make the material legible or to translate it into the applicant’s mother tongue. However, where information is denoted by the employer’s use of codes etc. a key should be included so the applicant can understand the information.
In addition to providing the applicant’s personal data being disclosed, the employer’s response letter should set out:
It should also notify the data subject of their right to:
Careful consideration should be given about whether to disclose and for what reasons any data has been withheld from disclosure.
Complying with subject access requests requires up to date technical legal knowledge of this challenging and ever evolving area. Similarly, knowing how to limit the scope of the search can be invaluable – especially when an employee is fishing for ammunition to support a claim against your organisation.
Dealing with DSARs can be a significant drain on the resources of your business. Not responding is not an option – the Information Commissioner can hand out fines of up to 20 million Euros or 4% of the group worldwide turnover (whichever is greater).
If you need advice or have any questions in relation to Data Subject Access Requests or GDPR, please contact David Greenhalgh on 020 3603 2177 and we can give you advice on the best way to fulfill your obligations quickly and efficiently.
This article/blog is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action.