Data subject access requests (DSARs) have increasingly become part of the armoury of disgruntled employees looking for information to bolster potential employment tribunal claims.
While DSARs, which give employees the right to access personal data held on them by an employer, have been around for more than 20 years, their number has been rising since the General Data Protection Regulation (GDPR) was introduced.
Despite the world having to deal with coronavirus, there is nothing to prevent employees from submitting a DSAR at this time and employers’ obligations remain the same. This makes it even more important to plan ahead and act quickly so a DSAR can be successfully dealt with.
I’ve received a DSAR – what do I do?
The most common mistake we see is employers waiting until a few days before the one-month deadline before pressing the panic button. In the best of times this is a bad idea, but with staff working from home because of the pandemic and things taking longer as a result, it is even more crucial to act early and have a clear and coordinated project plan.
Under the GDPR, the time limit for responding to DSARs was reduced from 40 days to one month. However, it is possible to extend this deadline by a further two months where the request is particularly complex, giving three months to comply.
In the current crisis, with the logistics of offices being shut, remote working and a reduced workforce, employers may have difficulties responding within one month. While this in itself doesn’t make a request more complex and wouldn’t therefore enable the deadline to be extended, the current Information Commissioner’s Office guidance provides that they will recognise that the reduction in resources could impact on the ability to respond to DSARs where organisations need to prioritise other work because of the crisis. They have said this shall be taken into account when considering formal enforcement action for not responding to a DSAR or responding outside the legal deadlines.
If you are able to extend the deadline because a request is ‘complex’, three months may seem like a long time to gather this data – but don’t delay. Given an employer typically holds a vast amount of data on their employees – especially if the employee has worked in the organisation for several years – this often takes longer than expected. And with remote working, it may take even longer.
It is essential that an organisation has a good IT system that can be accessible from home in the pandemic and an agreed protocol with its IT team on how to search for data and how to reduce the search results down to a manageable number.
What data do I need to hand over?
This depends on what the employee asks for. If they are savvy enough to ask for every mention of their name, every version of their name and their initials, that will be a much bigger task than someone who just asks for the data on their personnel file.
Employers often receive these requests because the employee wants to find out what their line manager said about them in a grievance or whether employees have been talking about them behind their back. While an employee is entitled to ask for everything, it’s a good idea for employers to ask the employee specifically what they want. If you can narrow down the search to a time period and to emails between certain people it will make life a lot easier.
DSARs cover every system where the employer is the data controller. With regard to requests for data from WhatsApp groups, the employer is generally not the data controller for those messages.
What don’t I have to disclose?
It’s a common misconception that employees are entitled to documents. They are just entitled to the personal data within those documents. Employers can extract the details from documents if they want.
If documents are released you may want to redact them to remove business-sensitive information. Also, you can’t hand over personal data about other employees unless you obtain their consent or otherwise conduct an assessment that disclosure is proportionate. So this will necessitate further redaction. However, you should be careful when redacting. The more you do, the more it will look like a document released by MI5, which may make an employee suspicious. This is where extracting the personal data about the employee rather than redacting everything else can be a better approach.
Information that is exempt from DSARs includes any references given or received about the employee and anything covered by legal privilege. Another exemption is details of future business plans that would be prejudiced if disclosed, such as details of redundancies that have not yet been announced. Finally, you do not need to disclose documents about negotiations with the employee, where revealing them would prejudice the negotiations, such as a termination payment offer.
The main piece of advice, especially during the current crisis when collating information may take longer than usual, is to be prepared for a DSAR before you get one and, when you do, act on it immediately. If you follow this advice it will make dealing with these time-consuming requests so much easier to handle.
Jane Bowen is an employment solicitor at Devonshires