In the third and final article in our DSAR mini-series, we look at the exemptions which are available to an employer when considering whether or not they have to disclose an employee’s personal data following receipt of a data subject access request.
Our previous articles have focused on what constitutes personal data (Data Subject Access Request Series Personal Data) and how to properly redact such data prior to disclosure (Data subject access requests: Data redaction in an Employment context). However, what about a situation where an employer does not want to disclose the personal data which it has identified following a data subject access request by an employee? For example, what if the personal data contains confidential or business sensitive information. Is there any mechanism by which an employer can refuse to make the disclosure? The answer is yes, but only in very limited situations.
Employees have a right to access personal data which their employer collects about them. In general, therefore, following a data subject access request, an employer will have to confirm what personal data is being processed and provide a copy of that personal data together with certain specified information. However, there are some exemptions to this rule. Under the GDPR there is no obligation to comply with a subject access request where the personal data:
(1) is covered by legal professional privilege due to anticipated or ongoing legal proceedings. This applies only to documents which carry legal professional privilege for the purposes of English law or its equivalent under Scots law. It is important to remember, however, that legal privilege is not a universal concept and documents created by legal professionals in other jurisdictions may not be protected in this way;
(2) concerns purely personal or household activity. This would cover personal information but probably not records made personally in a work context;
(3) is a reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference whether processed by the reference giver or the recipient;
(4) is processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a data subject access request would prejudice the conduct of the business or activity. For example, it is likely to prejudice the conduct of a business if information on a staff redundancy programme is disclosed in advance of it being announced to the rest of the workforce;
(5) consists of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations. This could be important in the context of exit or settlement agreement negotiations for example.
What to do if an exemption applies
If one of the exemptions to the rules on data subject access applies, it does not necessarily mean that none of the personal data should be disclosed. Rather, the employer should review the personal data to see whether it can be redacted or otherwise removed but all other data provided.
While these are explicit exemptions under the GDPR, employers as data controllers also need to be aware of the wider need to protect third party personal data and commercially sensitive data which may be contained in the same documents as personal data concerning the data subject. Again, in such situations employers should consider whether the data can be sensibly redacted in order to enable disclosure.
- Taking all of the articles from our mini-series into account, in summary, when faced with collating personal data following a subject access request, an employer should:
- identify the pool of data that is personal data about the employee making the request;
- seek to narrow the amount of data in the pool using appropriate criteria;
- review the data identified to see if it contains personal data relating to other individuals;
- decide whether to seek the consent of those other individuals, disclose without their consent or refuse to disclose the data;
- make any redactions as appropriate;
- consider whether any exemptions to the subject access rules apply and, if so, redact or otherwise remove that data; and
- finalise the copy data to be disclosed.