Data privacy digest series
GDPR is a key piece of legislation when it comes to protecting our personal data, something that is increasingly important as technology becomes more entwined with our day-to-day lives. Data can be collected in a number of ways, such as through online shopping, medical practices or employers. An employer will require certain information in order to employ you, such as your contact details, sickness records and bank details. However, GDPR places strict rules on how an employer may collect, store and use personal data.
What is a Data Subject Access Request?
Sometimes called the 'right to access' or a 'data subject access request' (DSAR), an employee has a right to access and receive a copy of all of their personal data that a collector may hold on them. A request does not need to be explicit and can be made verbally or in writing, including on social media. A request does not have to reference any legal provisions, it just has to be clear that an individual is asking for their personal data.
Why do individuals submit DSARs?
The right to access personal data that an organisation holds about you allows individuals to understand how and why their data may be being used by an organisation, and to check that they are using it lawfully. Furthermore, in an employment context, an individual may submit a DSAR (often those undergoing disciplinary or grievance procedures) as a negotiation tactic in anticipation of litigation. Firstly, a DSAR can put a lot of pressure on an organisation to settle to avoid the costs involved in conducting in-depth searches for information and reviewing multiple documents. Secondly, a DSAR can provide an individual with documents which may be beneficial to their claim, particularly internal correspondence.
Does an employer have to comply with a DSAR?
Generally, a DSAR must be complied with without undue delay and at the latest within one month of receiving a request. However, many employers may consider extending the time period to respond by a further two months. An extension will only be agreed if the request is complex or if there are multiple requests from the same individual. It is important to note that a request is not necessarily deemed to be complex purely because there is a large volume of data.
An employer may ask an individual to clarify the scope of their request if it is unclear. Whilst seeking such clarification, any time limit will be paused until the clarification is received. An individual can limit their request to a certain time period, type of document (e.g. Emails) or documentation relating to specific individuals. An employer cannot charge a fee to complete a DSAR, but reasonable administrative costs may be recovered if the request is considered manifestly unfounded or excessive, or if an individual asks for further copies of data.
Exemptions can apply in certain circumstances, such as if the employer deems the DSAR to be manifestly unfounded or manifestly excessive. A request may be deemed to be manifestly unfounded if the individual clearly has no intention to exercise their right of access (for example, a request is made but the individual then withdraws it in return for a benefit from the organisation) or if the request is malicious in intent and is used for no other purpose than to cause disruption. A request may be deemed to be manifestly excessive if the request is not proportionate when balanced with the burden or costs involved in handling the DSAR. It is generally a high bar to refuse to co-operate with a DSAR but if an employer decides to refuse to comply with a request, it must inform the subject of the reasons why, their right to complain to the Information Commissioner's Office (ICO) and their ability to seek to enforce their right to access through the courts.
How should you carry out a search?
A DSAR will usually cover a wide range of documents, including documents on an IT system as well as paper copies. A DSAR should also include documents that an individual has already had access to (for example, emails that they have sent or received), unless the data subject has made it clear that these documents are not within scope. Any search should be carried out using reasonable efforts to find and retrieve the requested information. An employer is not, however, required to conduct a search which would be deemed unreasonable or disproportionate to the importance of providing access to the information.
When presenting the collated information, an employer must be especially cautious to avoid including other people's personal data. Therefore, all documents must be carefully redacted. It is not always necessary to include a full document where it contains other people's personal data, and it may be easier to extract sections that specifically refer to the requester's personal data.
In line with the above, an employer will be required to carry out comprehensive searches of their computer systems, as well as any paper documents. Third-party organisations may be able to assist with this, and this is something that we can advise on.
What is the risk of getting DSARs wrong?
Complying with DSARs can be costly and time-consuming, but failing to comply carries significant risks. The right of access can be enforced by the ICO and action can be taken against a data controller or data processer if they fail to comply with data protection legislation. A requester may also decide to apply for court order requiring an employer to comply or alternatively seek compensation for failure to comply. Finally, the ICO has the power to issue fines for failure to comply with any of the data protection principles or any rights that an individual may have and decide this on a case-by-case basis. The maximum penalty is £17.5 million or 4% of an organisation's total annual worldwide turnover, whichever is higher.
If you would like more information on how to manage DSARs effectively, Trowers & Hamlins are able to advise on minimising the risk and costs involved.