Responding to a data subject access request from your employee/former employee
Responding to a Data Subject Access Request (DSAR) from an employee or former employee can be a challenging task for businesses. The right of individuals to access their own personal data that organisations hold is one that is enshrined in the UK GDPR and Data Protection Act 2018. Failure to respond to DSAR’s promptly or at all can lead to fines or reprimands from the Information Commissioner’s Office (ICO). With the vast amount of personal data that employers collect and process about their employees, it can be time-consuming and complicated to identify, review, and disclose relevant information. However, employers have a legal obligation to respond to DSARs within a specific timeframe and in compliance with relevant employment law. In this blog, we will explore some practical steps that businesses can take to help with responding to DSARs from employees.
Clarify the DSAR Request
If the employee has requested copies of all their personal data, it may not be clear what information they are seeking. In such cases, employers can ask employees to clarify their DSAR by identifying specific issues or incidents that they are concerned about and provide additional context. This can help to narrow down the search for relevant information, thereby saving time and resources. However, caution should be exercised, as the regulator may not agree that clarification was needed. Employers may opt to run reasonable searches for relevant personal information based on their understanding of what the employee is looking for.
Identify Relevant Sources of Information
HR systems are typically a good starting point for searching for employee data. However, employers should also consider other sources of information that may be relevant to the DSAR request. For instance, if the employee has recently been dismissed, they may be interested in discussions among those involved in the decision-making process. This may include the employee's line manager and other colleagues. Employers should consider what channels these individuals use to communicate and whether it is reasonable, taking into account obligations to those employees too, to search their email folders and/or other channels.
Apply Targeted Search Terms
In cases where there are thousands of documents containing the employee's data, applying targeted search terms can help to find the most relevant information quickly. Employers can enlist the help of their IT team or use third-party review platforms to run searches and enable easy review of the data. Although this may incur costs, the time-saving can be substantial.
Apply Exemptions to Disclosure
Under the UK GDPR, various exemptions to the right of access apply. If exempt information is contained in any document provided to the requestor, it should be redacted to avoid any disclosure of such information. In some cases, this may mean withholding documents in their entirety. Common exemptions applicable in the context of employee DSARs include privilege (e.g., emails containing legal advice about a dismissal), management forecasting (e.g., where the employer is contemplating a restructuring), and third-party privacy rights.
Request Extension of Timeframe
If employers cannot meet the DSAR response deadline, they can request an extension of up to two months. This extension can be granted if the DSAR is complex or one of multiple requests made by the employee. Employers must notify the employee and explain the reasons for the extension. However, employers should not default to an extension unless it can be justified.
ICO guidance
On 23 May 2023 the ICO published guidance for businesses and employers on dealing with DSAR’s by way of a list of Q&A’s.
Responding to a DSAR from an employee can be a challenging task for businesses. However, by taking the appropriate steps, businesses can make the process more efficient and comply with relevant employment law. At Winston Solicitors, we can assist with DSAR requests that are often made in conjunction with existing or threatened employment tribunal proceedings. Contact us today to find out more.