Employees have the right to access personal data relating to them held by their employer. However, responding to such access requests is not always easy. In a 2-part article, we tackle the 12 questions employers most frequently ask when handling DSARs.
7. What happens if we discover something we don’t want to disclose?
Employers are required to provide a copy of the personal data which they hold as at the date they receive the request from the employee, unless that data changes in the normal course of business, for instance payroll data. What you cannot do is delete data to either defeat a subject access request or to avoid having to disclose the data. In fact, it is an offence for an employer or any employee to alter or erase information with the intention of preventing disclosure. This is one reason why regular audits of data and data cleansing exercises are important.
8. What is the difference between disclosing the data and providing the data when responding to a DSAR?
An employee has the right to ask their employer whether or not their personal data is being processed, and if it is, the employee is entitled to be given a copy of that data together with certain other information, such as on the purposes of processing, categories of data involved, recipients of the data and retention periods, which in many cases will be set out in the employer’s privacy notice, a copy of which can then be provided alongside the personal data.
It is worth noting that the requirement is only to provide a copy of personal data, not a specific document, although in reality it will often be easiest to produce a copy of the document with appropriate redactions for instance to protect the identity of a third party also mentioned in the document. Extracts from a document may also be provided rather than the document itself if redactions would mean providing several pages of blanked out text.
Where the personal data is repeated in various places, provided it is the same, it only needs to be given to the employee once. Alternatively, if there is a lot of repetitive data it may be appropriate to summarise the data, as long as this is not used to hide data you do not want to disclose.
While an initial copy of the data must be provided free of charge, where the employee asks for further copies, you may charge a reasonable administration fee for providing these additional copies. Reasonable fees may also be charged where the request is manifestly unfounded or excessive.
9. Do we have to provide the data to the employee in a certain way?
A response to a DSAR should include a copy of the personal data plus certain other information (see above). The response should be in writing or, if the request was made by electronic means, then the personal data should also be provided in electronic form unless the employee asks for it to be given in a different way.
The information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. So, for instance, you must be willing to explain how you have handled the request.
Employers should remember that the information must be provided without undue delay and, in any event within one month of receipt of the request (unless this time limit is paused or extended by two further months where the request is complex).
10. If we have responded to a DSAR and the same employee sends in another request, can we ignore it?
If the subsequent DSAR is exactly the same as a previous DSAR which has just been responded to, then you may refuse to respond to it on the basis the information has already been given to the employee. However, care needs to be taken that the scope of the new DSAR is the same as if not, then you should respond to any new elements in the request.
There are, however, tactics which you can use if an employee makes repeated requests for personal data which are set out in response to question 11 below.
11. Can we just refuse to comply or charge a fee?
Where a request is manifestly unfounded or excessive the employer can charge a reasonable fee for responding, based on the administrative costs of providing the information, or can refuse to act on the request. You must, however, be able to demonstrate why you have taken the action you have and, in cases where you refuse to act, you must give reasons for this to the employee and explain that the employee can complain to the ICO or apply to the court.
In deciding whether a request is manifestly unfounded or excessive, you should consider each request individually. Examples of situations which might come within this category include where the request is malicious and being used to cause disruption to the employer or target a particular employee against whom they have a personal grudge or where there is no real intention of exercising their right of access by making the request and then offering to withdraw it for compensation.
12. Do I provide the same data when responding to a DSAR and when disclosing documents for an employment tribunal hearing?
In the employment setting, DSARs are often made in the context of an ongoing dispute or tribunal claim. Often, the employee will ask for copies of documents as part of the DSAR in the hope that these will contain information beneficial to their case at tribunal, often referred to as a fishing expedition.
It is important to remember that, in terms of a DSAR, there is no right to be given copies of actual documents, only the personal data contained within those documents which relates to the individual making the request. This is different to the disclosure obligations in tribunal proceedings where there is a duty on a party to disclose to the other any documents which are relevant to the proceedings and which will be relied upon at any tribunal hearing. Where an employee uses a DSAR to request documents, you are entitled to refuse to provide those documents as long as the personal data within them is provided, and to wait until the time set for disclosure by the employment tribunal.
This is also the area in which you may be able to rely on the legal professional privilege exemption, to not disclose legal advice relating to the dispute/claim, or information relating to your intentions on negotiations to settle the dispute.
What is clear is that handling employee DSARs can be complex. For further assistance in this area, please contact the authors for more information on the services we offer.