How to tackle data subject access requests from employees

Oliver Spratt, Lara King and Julia Kotamaki answer the common questions raised by HR teams when responding to DSARs

Yuichiro Chino/Getty Images

Responding to any data subject access request (DSAR) can be tricky, especially when the DSAR comes from a current or former employee. The sheer volume of personal data that organisations collect and process in respect of their employees can make identifying, reviewing, and disclosing information responsive to a DSAR a mammoth task. However, there are things you can do to make the process easier and more efficient.    

  1. The employee has requested copies of all of their personal data – where do we start?

If you process a large amount of information about the employee and it is not clear what information they are requesting, you can ask the employee to clarify their DSAR – for example, you can ask them to identify particular issues or incidents that they are concerned about and to specify a timeframe or provide additional context. 

This can ‘stop the clock’ running on the timeframe for responding to the DSAR. The clock starts again when the employee responds. If they don’t respond after a ‘reasonable’ period (e.g. one month), you can consider closing the request. Caution should be exercised; the regulator may not agree that clarification was needed. It might be better to simply run reasonable searches for relevant personal information based on what you think the employee is looking for.

  1. Where do we look? 

Start with your HR systems – this should be straightforward. Then you need to think about where else relevant information might be. 

If, for example, you’re dealing with a recently dismissed employee, then they are likely interested in discussions among those people involved in the dismissal decision-making process. This could include the employee’s line manager and other colleagues (e.g. the HR team). Consider what channels these individuals use to communicate and whether it is reasonable, taking into account obligations to those employees too, to search their email folders and/or other channels.  

  1. There are thousands of documents containing this employee’s data – do we have to review every single one?

No. Where you have an unmanageable volume of documents containing the employee’s data, you can apply targeted search terms to find the information most relevant to the DSAR. 

Your IT team may be able to help with these searches or, alternatively, there are multiple providers of review platforms well suited to quickly and accurately running searches and then enabling easy review of the data. Using a third-party review platform means incurring costs, but the time-saving can be substantial. 

  1. Some of these documents contain sensitive information about others – do we have to disclose them?

The UK GDPR outlines various exemptions to the right of access. Where one applies, any document provided to the requestor should be redacted so exempt information is not visible. In some cases, this means that documents should be withheld in their entirety. 

Commonly applicable exemptions in the context of employee DSARs include privilege (e.g. emails containing legal advice about a dismissal), management forecasting (e.g. where the employer is contemplating a restructuring), and third party privacy rights. 

  1. We can’t get this all done in a month. What are our options?

The time frame for responding to a DSAR may be extended by up to two months if the DSAR is complex or one of multiple requests made by the employee. You must notify the employee and explain the reasons for the extension. The complexity of a DSAR will depend on a number of factors and employers should not default to an extension, unless it can be justified.

Oliver Spratt is Of Counsel, Lara King an associate and Julia Kotamaki a trainee solicitor in Morrison Foerster’s London employment team