Data subject access requests

The time for complying with a DSAR is short, just one month to find, extract, review, redact and issue the required data to the data subject.  Many believe that the period for compliance is three months, but an extension is only permitted if the request is complex, or the data subject has submitted a number of requests.  Given the short period of time within which a data controller must comply, it is essential that thought has been given to the following issues:

(i)           Where a search needs to be conducted.

(ii)          How data will be extracted.

(iii)         How the data, once extracted, will be searched.

(iv)        The methods that will be used to redact data.

A recent ICO press release reported that 15,848 complaints were received relating to the handling of DSARS in the 12-month period to March 2023.  Serial failure to comply with DSARs can prompt the Information Commissioner to take enforcement action, as it did against Norfolk County Council who responded to less than 51% of DSARs received within the statutory period, when it was issued with a reprimand.

 

Form of DSAR

It is clear from the examples given that there is no required form for a DSAR it can be a simple request for the worker’s HR file, or the information held about them.

 

Being copied into emails

One of the perennially thorny issues that arises in dealing with a DSAR is how to treat emails that a worker has been copied into. The answer - it depends on the contents of the email; information of a business nature can still be an individual’s personal data.  Most problematic for employers is the ICO’s comment.

“Just because the requester receives the email, this does not mean that the whole content of the email is their personal information. Again, the context of the information is key to deciding this. However, their name and e-mail address are their personal information, and you must disclose this information to them.”

Frequently, requests run to many thousands of emails, disclosing every email would be hugely problematic, however, noting that there were x00 emails addressed to their email address with no other personal data, may sufficiently address this point.  Where such emails are disclosed, the names of the others to whom it has been sent should be redacted.

 

Social Media Platforms and DSARs

The increasing and widespread use of social media platforms, such as Facebook and WhatsApp etc by businesses means that the ICO regards the employer as the controller of the information posted on those pages.  These platforms therefore need to be searched by the employer.  It is therefore essential that employers consider how they will conduct a search of such platforms, which may be routinely accessed through an employee’s mobile telephone.        

 

CCTV

Data subjects can request CCTV footage of themselves.  Given the nature of CCTV footage, the ICO recommends that when choosing a CCTV system employers should choose one which enables the user to easily locate and extract personal data and to redact images of third parties.

 

DSARs and Grievances

The ICO has also confirmed that in its opinion if a worker raised a DSAR as part of a grievance it is not possible for an employer to refuse to comply, although exemptions can be relied upon.  Equally, if information is disclosed as part of employment tribunal proceedings and a subsequent DSAR is issued, the ICO notes that the employer must comply with the DSAR and cannot assume that the lawyers acting for the worker will have passed on all the information provided to them.

 

Use of Settlement Agreements / NDAs

Given that DSARs are frequently raised in an employment context, it has become customary for settlement agreements to contain provisions prohibiting the making of a future DSAR and requiring any existing DSAR to be withdrawn.  The ICO guidance makes it clear that such provisions are unlikely to be enforceable and that a worker cannot waive their right to access personal data.

 

Exemptions

DSARs prejudicing negotiations

One of the exemptions that applies is where complying with a data subject request will prejudice negotiations between the employer and employee.  Disclosing data about the employer’s negotiating position and how high they will go, will clearly prejudice such negotiations.  Once the negotiations are at an end, the rationale becomes more difficult to apply, because there is nothing to prejudice.  If negotiations fail and litigation ensues, a subsequent DSAR may still be covered by the exemption because disclosing what an employer would have settled for will prejudice its position, and it is arguable that even though litigation is afoot the negotiations have not truly ended.

 

Management Information and DSARs

If an employer is considering a restructure and employees start submitting DSARs to see if they are in the selection pool, it may well be possible to withhold the data and decline to confirm or deny whether such information is held.

Useful guidance has also been given to the meaning of when a request is either “manifestly unfounded” or “manifestly excessive”.  In either case, a data controller can refuse to comply with a request. 

 

Manifestly Unfounded

Requests are manifestly unfounded if the worker has no intention of exercising their right of access, or it is malicious in intent and being used to harass the employer.  Malicious intent includes:

(i)           Making unsubstantiated accusations;

(ii)          Targeting an employee against whom they have a personal grudge, and

(iii)         Systematically sending different requests as part of a campaign.   

The Q&A notes that every request should be considered in context and that whilst aggressive and abusive language is unacceptable, such language does not make a request manifestly unfounded.  A request would be manifestly unfounded, for example if the data subject made it clear that the request had been submitted to reach an improved financial offer.

 

Manifestly excessive

Requests frequently involve many documents, and employers can struggle to identify whether a request is manifestly excessive.  In determining this issue, a data controller should consider if the request is “clearly or obviously unreasonable”, or whether it is proportionate when compared to the burden or costs of dealing with it.  Matters to consider include:

(i)           The nature of the information requested;

(ii)          The context of the request;

(iii)         Whether a refusal will cause substantive damage to someone;

(iv)        The available resources;

(v)          Whether there have been previous requests and the gap between them

(vi)        Whether there is any overlap with previous requests

The Q&A notes that where there are large requests clarification should be sought about what is being looked for, in order to narrow down the search; reviewing emails which only contain the name, email address and signature; and supplying information in summary form, e.g., “1,000 emails contain only your name, signature and email address”.

 

What should employers be doing?

There are many steps that an employer should take, including:

1.  Ensuring that DSARs are recognised and passed to the correct people quickly.
2.  Understanding where to look, how to search for and extract data and how it is going to present that data.
3.  Ensuring that their data protection policies are up-to-date and reflect the current legal position.
4.  Ensuring that they cleanse their data in line with the data policies and that information is not held beyond the date that it is required to be held.  If data is to be deleted, there needs to be robust systems in place to ensure that data which should be kept is retained.   
5.  Ensure that those who will or might be involved at any stage understand what their role is, the timescales involved and the rules applying to DSARs.
6.  Ensure there is sufficient resource to deal with DSAR requests and that those involved know how to use any search engines used appropriately.

 

If you have any queries regarding the DSAR, and are looking for legal advice from our Employment team, get in touch on [email protected].

Alternatively, speak to our Commercial & Technology team today, on [email protected].