How should HR teams manage data subject access requests?

Patrick Wheeler explains what employers should consider when an individual requests to see the information held about them by the organisation

The Data Protection Act 2018, incorporating UK GDPR, has raised the profile of individual data rights. Data Subject Access Requests (DSARs) are now commonly made by disaffected employees, or those facing disciplinary action. They can be time-consuming and disruptive to deal with, so it is vital that organisations, and their HR functions in particular, know how to recognise them, who has responsibility for coordinating a response, and what procedures need to be followed. So what are the key issues?

How do I recognise a DSAR?

There is no set form for a DSAR. Any oral or written request to see what personal data an organisation holds is likely to be a DSAR. Staff should be trained to recognise a potential request and know where to refer it. Either a Data Protection Officer (DPO) or a dedicated manager with both the authority and responsibility to deal with DSAR responses is needed. This can be within HR or a legal/compliance function. A formal policy and procedure can help to streamline the process.

Who can make a DSAR, and when does the clock start?

Typically, it will be an employee or a customer, but it could be any living individual. The first priority is to confirm the identity of the requester. If there is any doubt, you should ask for verification, like a photo ID. The clock starts as soon as the request is received, but it can be paused if verification is needed. A full reply should be given within one month unless the request is complex, so any delay in the process risks becoming a breach.  

What data needs to be disclosed?

A DSAR can either be general (all personal data) or specific, eg, data in notes of meetings and discussions which led to disciplinary action being taken. Personal data is widely defined so you will need to carry out a search wide enough to capture everything of possible relevance and then conduct a manual review. HR records are likely to be a key source of personal data.

‘Data’ is not necessarily the same as ‘documents’. There is no obligation to disclose documents, although that may be the simplest way to provide the data. 

If documents contain the personal data of more than one individual, great care should be exercised. You may need either to ask for consent to such disclosure, or to redact data that does not relate to the requester. Disclosing someone else’s data without a valid reason will be a data breach. There may also be sensitive or confidential data which needs to be carefully assessed to establish whether it needs to be disclosed or not.

Do any exclusions apply?

There are a number of exclusions that may apply in any particular case, but these are all narrowly defined, so you must be absolutely clear that they apply rather than take a chance. 

Can I refuse to respond?

Unless a specific exclusion applies, no. If a request is either ‘manifestly unfounded’ or ‘manifestly excessive’ then you may refuse to respond, but the bar is a high one, so you must be able to explain in detail why you believe they apply. 

Conclusion

There are numerous potential pitfalls in responding to a DSAR. Getting it wrong will be a data breach. A regulatory investigation by the Information Commissioner’s Office (ICO) can result in enforcement action (including hefty fines), and a possible claim for damages by the data subject(s).

DSARs are clearly on the increase, so it will be a sound investment for businesses to be prepared. Even organisations with a dedicated DPO and detailed policies and procedures can find it helpful to seek external advice, and if you have neither, an independent expert can significantly reduce both the risk and the stress. 

Patrick Wheeler is a partner and head of data privacy at Collyer Bristow