How Employers Should Handle Data Subject Access Requests

Navigating data subject access requests (DSARs) can be a daunting task for most employers, and it’s understandable that the process might evoke feelings of dread.

When an employee data subject access request (DSAR) lands on your desk, you may feel overwhelmed by the administrative burden required to respond to it effectively. However, it doesn’t have to be so stressful!

Employers should understand that in this day and age, everyone – from customers to members of staff – has the right under the law to access their personal data; understanding these regulations is key to providing proper responses without overburdening yourself.

This article is designed to help you make sense of the complicated requirements to ensure you are equipped with all the know-how needed to deal with DSARs – while still respecting your employees’ rights.

What is a Data Subject Access Request (DSAR)?

A subject access request is a legal right to allow individuals to obtain information about how their personal data is being processed and used by an organisation. It is a fundamental right under data protection law and provides an individual with the right to have any personal data that an organisation holds on them provided in writing. This data can be used by individuals for a variety of reasons, such as checking accuracy or challenging decisions made about them.

How Should an Employer Handle a DSAR?

It is the employer’s responsibility to ensure that the DSAR is dealt with properly and in accordance with data protection laws. The following are the measures one can take when dealing with such a request:

• Understand DSARs are not always labelled that way: Employees may send an email along the lines of ‘Please send my HR file’ that may well constitute a DSAR, or others, such as ‘Can I have a copy of the notes from my last appraisal?’ that may not. Be aware that DSARs can come in many forms.
• Acknowledge the DSAR: Respond promptly in order to acknowledge the receipt of it. Ideally, you should do this within the legal requirement of responding this is normally one month or 30 days. However, if the request is complex, employers can take up to an extra two months to respond. If you wish to take the longer timeframe however you must let the requester know there will be a delay before the end of the first calendar month by law. The Information Commissioner’s Office (ICO) is currently clamping down heavily on delayed responses to DSARs, so you should act swiftly to avoid further difficulties.
• Verify the identity: To prevent unauthorised access to personal data, verify the identity of the individual making the request. Request additional information or identification documents if necessary.
• Check what data has been requested: DSARs do not always relate to all data held; in fact, it may only be in relation to one particular piece of information. Do not make assumptions, as you can ask for clarification and this can, in turn, save you precious time.
• Gather the requested information: Identify and locate all relevant personal data pertaining to the employee. This includes data held in electronic and physical formats, such as HR records, emails, performance evaluations, and any other relevant documents. Having processes and procedures in place to quickly identify which data needs to be provided and how it will be provided is key. In addition, you can consider using automated tools and systems to streamline the process, as these can help to speed up the response time.
• Assess exemptions and third-party information: Review the data to determine if any exemptions or restrictions apply. For example, you may exclude information that relates to other individuals or information that is legally privileged. This will vary on a case-by-case basis and as such it is integral that you refer the instance to a professional, either a company like HR:4UK or another legal entity if you are unsure of which exemptions apply. When engaging third-party HR providers as data processors, certain obligations must be followed to ensure the proper handling of DSARs on behalf of clients. Employers still bear responsibility for data protection regulations as they are considered ‘data controllers’. The third-party HR provider then functions as the data processor and must process all personal data with the controller’s instructions – which in turn must adhere to data protection regulations. In the event of a data breach, the HR provider will promptly notify the controller and vice versa. The controller holds the responsibility of notifying the relevant authorities and affected individuals. To fulfil these obligations, the HR provider will offer the necessary support and provide pertinent information.
• Provide the information: Once you have gathered and reviewed the data, provide the employee with a copy of their personal data in a commonly used format, such as a PDF or Word document. If the employee made the request electronically, you should generally provide the information electronically as well.
• Consider any supplementary information: Along with the requested data, you can include any additional information that may help the employee understand the context and use of the data.
• Respond to any additional queries: If the employee has any follow-up questions or requires clarification, promptly address them to ensure a transparent and open process.
• Maintain records: To ensure that as an employer you are in compliance with data privacy laws, you should keep accurate records of every data subject access request you receive and the steps that were taken to respond to them. This includes keeping a detailed log of when and how the personal data was provided to the individual, as well as who was responsible for providing it.
• Social Media: employees will often submit DSARs that request information on mailboxes, servers and social media platforms. UK GDPR applies to any social activity carried out in a commercial or professional context; as such, employers should search social media if the information held within it pertains to the DSAR. It’s also important to ensure that businesses have a clear policy and procedure in place to determine what employees can and cannot do on their IT systems to avoid conflict situations that arise as a result.

Can I Withhold Information?

The Information Commissioners’ Office (ICO) states that:

“Two of the most common exemptions you’re likely to come across as a small business are: Third-party data (where the information includes other people’s data); and Crime and taxation (where disclosing the data may prejudice an investigation). You will have to justify and document your reasons for relying on an exemption. It can be helpful to explain your reasons to the requester so they understand why you’ve not fully complied with their request. But only do this if it doesn’t reveal something you were trying to withhold.”

Manifestly Unfounded DSARs

A ‘manifestly unfounded’ DSAR is, simply put, a spurious or erroneous request that can be dismissed. However, the threshold for a dismissed DSAR on the basis of it being ‘manifestly unfounded’ is, according to the ICO, extremely high. Employers should always consider the request in context, and realise that a particularly substantial amount of personal data may not consitute legitimate means to dismiss the request.

Other examples, however, may be cause to suspect the intention of the request. For instance, a former employee who offers to withdraw the request for monetary payment would be one such case. Others may be repeated requests simply to cause disruption to your workplace (for example, weekly requests from the same individual) or have otherwise malicious intent.

The prospect of the courtroom and NDAs

Do note, however, that the prospect of litigation or tribunal proceedings is not considered sufficient grounds to refuse a request. Unless a relevant exemption applies, companies must respond to a DSAR. It is an unsafe assumption to think that a non-disclosure agreement or settlement agreement grants automatic exemption to a request. What is and is not included (in the contract or agreement) will vary greatly on a case-by-case basis.

Emails

Employees are generally not entitled to every email they sent or received over the course of their employment. Instead, they are entitled only to their own personal data and the contents of emails relating purely to business matters do not fall under this purview.

In the event of a DSAR, employers should determine the scope of the request in order to confirm whether or not the particular case involves all emails or just those relating to performance or benefits in order to ascertain an accurate picture of what is required and thus reduce the weight of compliance.

Tips for Responding Quickly to Subject Access Requests

The General Data Protection Regulation (GDPR) requires employers to respond to requests within one month, or two months if the request is complex. This can be a daunting task but there are steps employers can take to ensure they meet their legal obligations in responding quickly and effectively:

1. Establish an Internal Process

Develop an internal process for handling DSARs, including templates and checklists. This should include the steps to take when a DSAR is received, the information that needs to be gathered and the timescales for responding.

2. Create an Acknowledgement System

Establishing a system for acknowledging receipt of DSARs quickly and providing an estimated response time can help demonstrate that you as an employer are taking requests seriously.

3. Invest in Technology 

Technology can help automate many of the tasks related to DSARs, from identifying and locating personal data to providing a secure platform for responding.

4. Train Employees

All employees should be trained on how to handle data subject access requests, including understanding their legal obligations and the internal process for dealing with them. In many instances, this will take the form of submitting the request to the designated data protection officer.

Data subject access requests are an important part of ensuring compliance with data privacy laws, and employers should take them very seriously indeed. Being prepared, being able to respond quickly and efficiently and ensuring that all necessary steps are taken to protect the data of the individual making the request are all integral to each and every instance.

5. Balance the Employment and Data Rights of Others 

Furthermore, one should always take into account the sensitive information of others to whom the DSAR may encompass. For instance, an employee may seek information that pertains to an investigation, disciplinary process or performance review that contains the personal data of the individual in question as well as others. In such a case, it is absolutely crucial that the privacy rights of others must be taken into consideration.

If you have received a subject access request and are unsure what to do next, then contact our expert team of advisors who can guide you through the process today on 01455 444 222 or email: [email protected]

Alternatively, for further information contact the ICO Advice Line on telephone number: 0303 123 1113, available Mon- Fri 9am -5pm.