Under the Act, a “data subject” can make a data subject access request (a DSAR), and a “data controller” has a duty to comply, subject to some exceptions.
Although responding to a DSAR can be time-consuming and expensive, the obligations of transparency under the Act mean that you must be willing to explain how you are handling the request and to confirm this to the employee within the required time limit. If you do not, the employee may feel aggrieved and believe that you have failed to comply with the Act’s requirements, leaving you vulnerable to a potential complaint being made to the ICO or a court order to comply with the DSAR.
It is, therefore, important to respond to a DSAR in an appropriate manner.
What to do if you receive data subject access requests from employees
You should make an initial assessment to consider:
- whether or not you store or process data concerning the employee;
- whether you intend to respond;
- the scope of the request; and
- the proposed approach to finding the data and dealing with the response.
In general, regardless of any suspicions about the employee’s motivation, you should approach compliance in a positive and helpful way:
- you must facilitate the exercise of the DSAR;
- the request must be handled fairly and transparently;
- information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
In the employment forum, DSARs are frequently made in the context of an ongoing dispute or a tribunal or court claim. An employee may be genuinely motivated by a wish to find out what data is being processed and to ensure that it is accurate. However, the employee may also see the trouble and expense to which you may be put by dealing with a DSAR as offering useful leverage in a dispute and in achieving a settlement.
Your response
Your response should be in writing or, if appropriate, by electronic means. If the request was made originally by electronic means, information should be provided “in a commonly used” electronic form unless otherwise requested by the employee. At the employee’s request, the information may be provided orally as long as you are certain of the identity of the individual making the request. However, oral requests are rare.
Except in perhaps very straightforward cases, it would be sensible to take legal advice before either substantively responding to a DSAR or indicating a refusal to deal with such a request.
Are there any exceptions to the DSAR?
Under the Act, there is no obligation to comply with a DSAR in relation to the following:
Legal
Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings. This applies only to documents which carry legal professional privilege for the purposes of English law.
Reference
A reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference, whether processed by the reference giver or the recipient.
Management
Personal data is processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a DSAR would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed before it is announced to the rest of the workforce.
Records of Intent
Personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the DSAR would be likely to prejudice the negotiations.
Other
Other exceptions relate to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections and various corporate finance services.
What happens if you do not respond to a DSAR?
Other than in exceptional cases, you will be under a duty to take action on a request by responding. There are, however, some circumstances in which you may decide not to take action. Examples might be where:
- the person to whom the DSAR was addressed is not the data controller (perhaps because it is acting as a data processor or someone else is the controller);
- the request is unfounded or excessive; and/or
- you can demonstrate that the request infringes the EU doctrine of abuse of rights.
If so, you must tell the employee without delay and, at the latest, within one month of receipt of the request. You must give reasons for not taking action. You must tell the employee of the possibility of complaining to the supervisory authority and taking legal proceedings.
Except in clear circumstances and in which you are confident you can justify a decision not to take action on a request (as might be the case if you are not the controller), you should engage with the employee and seek to limit the request.
For more information on data subject access requests, speak to employment lawyer Karen Cole today.
Note: This article is not legal advice; it provides information of general interest about current legal issues.