As an employer, are you obliged to search personal devices, personal email accounts and/or personal social media accounts belonging to employees or others such as trustees or non-executive directors when responding to a data subject access request (DSAR)?
Many employers will now be familiar with undertaking a ‘reasonable and proportionate’ search when responding to an employee’s DSAR under Article 15 of the UK GDPR. An employer must provide an employee with their personal data in response to a DSAR if it is a data controller for that data. In most cases this means that an employer would simply search its own computer systems for that personal data.
Searches will unearth the usual documents and records in personnel files and email exchanges. But more and more often, employers are having to consider whether the searches need to extend to employee exchanges on social media platforms like WhatsApp, Twitter, LinkedIn and Facebook as well as to exchanges and records kept on personal accounts or devices used by employees for work purposes, and also those devices uses by others connected to the employer such as trustees, non-executive directors or governors.
Whilst this area of law remains untested in the courts, we have some guidance from the Information Commissioner’s Office (ICO). The ICO Guidance states that it does not expect employers to instruct employees to search their private emails, personal devices or private instant messaging applications such as WhatsApp when responding to a DSAR – unless the employer has a good reason to believe the employee is holding relevant personal data on that device or account.
If employees are permitted to use their own personal devices or accounts to send work-related emails, they are likely acting on the employer’s behalf and, if so, any personal data stored on that device or account could be within the scope of the DSAR. The same applies where organisations engage trustees or non-executive directors as typically those undertaking these roles will use their own personal email accounts and devices to perform their functions.
If such personal devices and personal accounts are used by employees or those performing services on behalf of the organisation in their official capacity or for ‘work purposes’, there is an argument that the employer will remain the controller of any personal data processed on those devices or accounts. Also, if the employer authorised or has knowledge of this processing on personal devices or accounts, they will likely fall within the scope of the searches an employer needs to undertake when responding to a DSAR as the employer would then have a ‘good reason to believe’ there is personal data being held in such locations that would fall within the scope of the request. This rationale could also extend to social media platforms and text messages on personal mobile phones used for work. This is irrespective of whether an employer may actually be able to easily access these personal devices or accounts - it doesn’t automatically exclude the data processed on such devices or accounts from the DSAR searches just because it may be difficult for the employer to access them.
So what can employers do to minimise the risk of facing these DSAR search dilemmas?
- Employers should implement or review existing IS and IT policies to ensure they are clear about how business communication is carried out, to include whether and in what circumstances personal devices and/or social media is permitted for work purposes; employers should consider what sanctions would follow for non-compliance.
- Where possible, employers should provide those performing services on its behalf such as trustees or non-executive directors with a business email account to remove the need for personal accounts to be used.
- If personal devices cannot be avoided, those using these should be informed and made aware that they could be asked to search and deliver up personal data processed within their personal accounts or personal devices such as a mobile phone or personal laptop. Employers must consider the privacy rights of other individuals when considering the extent of the data to be disclosed under the DSAR.
- Employers should consider implementing a process on how to search such personal devices or accounts if they do fall within a DSAR, including how to keep an audit trail should the requester and/or ICO request to see the extent of the searches carried out.
- Employers should provide data protection/security training to all employees and those performing services on behalf of the organisation.