10th November, 2020
Dealing with Data Subject Access Requests – Top Tips for Employers
In October 2020, the Information Commissioner’s Office published updated guidance on what should be considered when responding to a Data Subject Access Request.
The newly published guidance has not come about as a result of a change in the law but provides additional advice and clarification for employers who receive a DSAR.
Under the General Data Protection Regulation (‘GDPR’) an individual has a right to make a request for data which is held about them. That request is known as a Data Subject Access Request (or ‘DSAR’) and gives people the right to obtain a copy of their personal data from any organisations who have gathered and stored personal information.
Due to the nature of the relationship between an employer and their employees, employers commonly receive DSAR’s from their current (and former) employees. Failure to comply with those requests appropriately could result in the employee making a complaint to the ICO or to a Court who may make an order for compliance by the employer.
We have set out our top tips for employers who receive a DSAR below.
Responding to the Request
If you receive a DSAR, don’t delay responding to the person making the request. Requests must be handled without any undue delay, and employers are typically expected to respond within one month. This can be extended by up to two additional months if necessary but the reasonableness of extending the time limit will depend upon the complexity of the request and the number of requests made by the individual. The ICO Code of Practice includes examples of ‘complex’ requests to assist employers to decide whether they can reasonably extend the time limit for their response.
We recommend that you acknowledge a request as soon as possible and confirm whether you intend to extend the deadline for providing the data which has been asked for.
Employers must ensure that the request has been made by the person purporting to make it. If you have any doubts, then you can ask for proof of identity before processing and responding to the request.
Consider the scope of the request
You may wish to use your initial response to ask for further information about the request, and ask the employee to clarify what information they are seeking. However, the ICO states that requests for clarification are unlikely to be reasonable or necessary where you ‘process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.’
Generally, DSAR are provided free of charge but employers can choose to charge a reasonable fee.
‘Manifestly unfounded or excessive’ requests may enable an employer to refuse to act on the request. It is for the employer to demonstrate that the request is manifestly unfounded or excessive. In the event that you refuse to act on a request for this reason, you must notify the employee of your reasons for doing so, and notify them that they have a right to complain to the ICO.
The ICO set out detailed guidance on the meaning of manifestly unfounded or excessive. This includes where a request has been made with a malicious intent against the employer. Even where you believe that a request meets that definition, we suggest that you consider responding to the request so far as you think is reasonable and proportionate rather than refusing to deal with the request altogether.
Conducting the Search
Employers must make genuine and extensive efforts to locate the data requested by the employee. Keep records of the searches conducted and all of the information located in doing so.
Where you are searching on electronic systems for key words, consider using variations on a person’s name or alternative identifiers. For example, searching for shortened versions of a person’s name (Jackie rather than Jacqueline), their initials, and any nicknames.
Ensure that you search your main computer servers, as well as backed up data, deleted data, and data held on other systems.
Data relating to third parties
Where data located through a search includes information or data relating to other people, consider whether it is appropriate to disclose that data to the person who has made the DSAR. Some of that information may have no relevance to the employee who made the request (non-relevant personal data) and can be excluded from the data provided. Other documents or information may include data relating to the person who made the DSAR and a third party.
For the second category, consider whether you can:
– Obtain consent from the third party to the disclosure of their data to the employee who has made the request;
– Redact the data relating to third parties;
– Exclude the information on the basis that it does not fall within the category of ‘personal data’, for example, where the information located relates to financial performance of the business; or
– Disclose the data without the consent of the third party.
Providing the Response
Typically, responses to a DSAR should be in writing or via electronic means. Provision of the information electronically will usually only be suitable where the request was made electronically, for example, where the employee submitted their request by email.
Copies of the data identified by the employer should be provided, with redaction where appropriate. Where there is a large amount of repetitive data, it may be appropriate to provide a summary of the data identified rather than copies of the documents. Bear in mind that this could be challenged by the employee, and examined by the Information Commissioner in the event that they make a complaint.
Detailed guidance on responding to DSAR can be located on the ICO website.
Employers who receive a DSAR request and are unsure as to their responsibilities when responding should take specialist legal advice. Debbie Coyne, Senior Associate in the Employment Team at Aaron & Partners LLP, can assist with your DSAR queries or any other Employment Law issues.
You might also be interested in...
12th September, 2022
Partner and Planning Lawyer, Mark Turner, discusses a long running case that highlights not only how seeking legal... Read More »
9th August, 2022
Mark Turner, Partner and member of the Planning, Environment, Energy and Regulatory team, discusses the current issue surrounding... Read More »