Written by Nicola Gater | 23rd October 2023
As an employer you will collect and store a large amount of personal data about employees during the course of their employment – and they have the right to access this at any time.
This is not a recent development – the Data Protection Act 1998 established the right for any individual to see all personal data an organisation holds about them, by making a Data Subject Access Request. However, since the GDPR (General Data Protection Regulations) and the Data Protection Act 2018 were introduced, people are much more aware of their data rights, and many employers will have been on the receiving end of just such a request from an employee.
A Data Subject Access Request or DSAR for short must relate to personal data so might include HR records, pay and pension information, CCTV, or internal communications such as emails about the individual making the request.
Existing employees, former employees and job applicants can all make a Data Subject Access Request from the employer. Depending on the length of time the employer has been collecting and processing that individual’s data, there may be a large amount of information to collate and review before releasing to the individual. Since 1998 the employer can no longer charge an administration fee for this process, and so receiving a DSAR can be costly and very time consuming for the employer. Failure to comply with a DSAR can result in complaints to the Information Commissioners Office who may enforce the DSAR and instruct compensation to be paid, so here’s how to handle them in a fair and compliant manner:
Know what you are looking for, and what to exclude
Firstly, check the identity of the person making the request. You do not want to breach data protection regulations by releasing data about one individual to another.
To respond to a DSAR you will be required to search for every piece of data (records, files, documents, emails, CCTV etc) that identifies that individual. This may result in a large amount of information from a number of different data sources. Your initial search may produce data that doesn’t relate to the relevant individual, for example if you have individuals with the same or similar names or initials. You must only release the data of the individual who has requested it, and therefore all search results must be reviewed to ensure it relates to the correct person. Where data references more than one individual, for example an email from a manager giving performance information about every member of their team, then the information about other people must be redacted before it is released.
You are permitted to ask the individual making the DSAR whether they are looking for data in a particular timeframe, or a particular type of data (e.g. performance reviews) and this can help you narrow your search. However, they can ask for everything if they want to.
You usually have one month to respond to a DSAR, however, this can be extended by an extra two months if the request is particularly complex. Not having the internal HR resource to comply with a request within one month is not a reason to extend it. GDPR required all organisations to put in place systems, records and processes that would allow them to respond to DSARs quickly.
If you are going to extend the timeline, you must let the subject know within one month of receiving the request, and the reason the extension is needed. Failure to do so will breach GDPR, so consider if an extension is appropriate as soon as the request is received. If you need to seek further clarification from the requester about the data they want, then this pauses the clock.
Make sure you record the date the employee made the request, the date of the response, details of who provided the information and what was provided.
Review your DSAR policy
If you haven’t already, make sure you have a written policy in place! The introduction of GDPR in 2018 required all organisations that collected and processed personal data to have clear policies, rules and systems in place to justify the processing of such data, ensure the protection of personal data, and enable them to respond to DSARs in a timely manner.
Firstly, you should be able to recognise a DSAR when it happens. Requests do not have to be formally made in writing, but could be submitted by email, verbally, or via social media. A job applicant simply asking for a copy of their interview notes is a DSAR about a narrow set of data and must be complied with. Your managers should know how to report a DSAR and respond in line with your policy, so they can be dealt with accurately and within the designated time.
You should have suitable management systems and IT protocols in place, so relevant information can be retrieved efficiently and securely.
It is vital that you make a reasonable effort to find and retrieve the requested information, as well as explain what searches have been done and why. Don’t forget that deleted and archived information should also be searched if it is still accessible on your systems. Your policies should clearly set out how and when personal data will be destroyed, and you must make sure this happens in practice.
What should be included in a DSAR response?
Typically, you would provide a list of all personal information you have on the individual. However, remember that data subjects are only entitled to the personal data itself and not the documents it is contained within.
That means if the personal data is only found in one paragraph of a much larger report, you could provide this paragraph alone, rather than the whole report.
Your response should be given in an accessible, concise and intelligible format, and include:
- Confirmation on whether you process their data or not.
- A copy of the personal data being processed.
- The data subject’s rights.
- How you will process the data
- Clarification of the type of personal data and the recipients the personal data will be disclosed to.
- Information regarding the source of the data.
- Period for which you’ll store their data.
Can you refuse a DSAR request?
UK legislation recognises that there could be a legitimate reason to not comply with a DSAR request, including if the request is unfounded and excessive. This can be where you have reasonable grounds to believe the person has only requested the data to harass or cause expense to your business. The ICO provides guidelines on this to help you.
As an employer, you are entitled to evaluate whether the importance of providing access to the information, is proportionate against costs.
You cannot usually charge a fee, however a fee to cover the administrative costs of complying with a request can be made if it is unfounded or unreasonable, such as a request for all data to be printed and provided as hard copy when you have already provided it once.
There are other circumstances where the employee will not be entitled to the data, even if it is personal data relating to them. This includes information covered by legal professional privilege, or references given which specifically stated they were confidential, or personal data which is being processed for crime and taxation-related privileges. Data processed for management planning purposes (e.g. a redundancy programme that has not yet been announced) can also be withheld.
If you refuse, you must give a valid reason to the employee within one month after the request was recorded.
Risks around DSARs
As well as the rules around responding to DSARs themselves, the results of a DSAR can cause significant risk to organisations.
In many cases, a DSAR is made relating to a specific issue, for example an employee is looking for evidence that unfair or discriminatory comments have been made about them by colleagues in emails, perhaps while a grievance they raised is being dealt with.
Every employee and manager must be made aware that their emails, file notes, records and sometimes even handwritten notes can be viewed as part of a DSAR. This has the potential to cause, at the very least, some embarrassment but often real risk to the employer if inappropriate, unprofessional or discriminatory comments and information is recorded on organisational systems. When the individual making the DSAR sees evidence of this, they may raise grievances, or in the worst cases use it as evidence against the employer in an employment tribunal. Remember that no data (or emails and notes) must be deleted after a DSAR is received.
Employers should regularly train their staff on their policies and expectations around data processing and protection, and professional behaviour in the workplace, with clear consequences should issues arise.
If you have any questions about Data Subject Access Requests or would like advice, please get in touch with our team at [email protected].