The General Data Protection Regulation (GDPR) has been in force for almost a year, and far from being a Y2K-like ‘one-off’, what has become apparent is that it is an ongoing obligation, that requires regular activity from organisations’ compliance staff.
Part of that activity frequently involves managing data subjects’ requests for access to their personal data; the infamous data subject access request (DSAR). Subject access requests regularly arise in the context of a dispute with a disgruntled employee or ex-employee, who will often be only too keen to report the matter to the Information Commissioner’s Office (ICO) if they feel their request has been mishandled. Given the range of powers open to the ICO for non-compliance, organisations should take action to avoid the risk of regulatory scrutiny.
The GDPR confers a number of rights upon individuals, including the right of access to any personal data held about them by 'controllers', along with further specific information that is prescribed by the legislation. When an organisation receives a DSAR from a member of staff, ex-employee, or unsuccessful job applicant, it must respond within a month and cannot usually charge a fee for doing so. There are a number of exemptions, but the presumption is generally that the individual should be provided with the personal data that he or she has requested.
The right of access granted under the GDPR is not new; it was introduced by the Data Protection Act 1998 (DPA 1998), though under the old law organisations had 40 days to respond and could charge a fee of £10. The fee deterred a surprisingly large number of would-be requesters. The GDPR abolishes the fee and the requirement for the request to be in writing. Coupled with the reduced response period this has resulted in an increase in the volume of subject access requests received generally and made them more challenging to deal with for employers.
Subject access requests are routinely made by disgruntled employees and ex-employees. They are frequently made for 'all the personal data that you hold about me'; in the case of a longstanding employee, his or her personal data could potentially be found in tens of thousands of documents.
The right is to the personal data processed at the time the request was received. Personal data includes statements of opinion or of intent about the data subject, which in the context of an employment relationship, could include unflattering comments made, for example, in interview notes, emails and minutes of meetings. Unhelpful to the employer though this may be, employees have a right to such information, indeed it is a criminal offence to deliberately destroy personal data to thwart a DSAR.
Employers must also be aware that some information should not be included in a response to a subject access request, and some personal data may be subject to an exemption. However, the exemptions to the right of access are found in separate legislation; the less than user-friendly Data Protection Act 2018. As a result, to the uninitiated, dealing with a DSAR is a challenge.
How to prepare
The widespread publicity surrounding the GDPR means that people are more aware of their rights, are more likely to exercise them, and they are more likely to complain to the ICO if their request is not properly dealt with. The ICO regularly investigates complaints, and if the investigation of a failure to respond to a subject access request reveals non-compliant data handling practices generally, the organisation concerned potentially faces a range of sanctions.
Businesses, public authorities and charities must have robust, effective policies and processes in place for dealing with data subjects' requests and they should ensure that their staff are trained to recognise and manage requests.
James Castro-Edwards is head of data protection at Wedlake Bell