In a world where personal data can be used and shared so easily, it is important for individuals to have control over their own data. Since the General Data Protection Regulation (GDPR) came into force in May 2018, more and more people are exercising their rights in relation to their personal data. The GDPR provides greater rights for individuals in the EU to access their own personal information which is held by others. Whilst data subject access requests (DSAR) existed under the old legislation, the GDPR places more stringent requirements on employers in terms of compliance. In the light of new guidance published by the Information Commissioners Office (ICO), this article aims to act as a refresher for employers on their obligations relating to the right of access by an individual as well a summary of the recent updates.
A DSAR may be made in writing, or by email or other electronic means. For employers, it is recommended that a preferred method of contact is made clear to employees to ensure the requests are received by appropriate members of staff. A DSAR relates to “personal data” which simply means any information relating to an individual, often referred to as a ‘data subject’. Information that can be requested by the data subject includes:
If personal data is being processed, an employee is entitled to be given a copy of their personal data, together with other information, such as the:
Whilst an employee may be genuinely motivated by a wish to find out what data is being processed and to make sure that it is accurate, often DSARs can be useful for employees in obtaining information when going through grievances, or in advance of mounting an Employment Tribunal claim. Regardless, the employer’s approach must be the same: the employer must facilitate the exercise of the subject access right, the request must be handled fairly and transparently, and the information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The basic rule is that requests must be handled without undue delay and, in any case, within one month. ICO guidance states that this period begins on the day on which the employer receives the request, and ends on the corresponding calendar date in the next month, unless that day is a bank holiday or weekend, in which case it ends on the next working day. If there is no corresponding date (i.e. the next month is shorter) then the deadline is the last day of the following month. However, an employer may extend that period by two months where necessary, taking into account the complexity and number of requests. Notwithstanding this, it is clear from the guidance that this extension should be used in exceptional circumstances only. Even where utilising this time extension, an employer must still respond within the first month to acknowledge receipt of the DSAR.
The employer’s response should usually be in a writing, or by an appropriate means requested by the individual. In terms of locating relevant information, emails are usually a good place to start. From there, further searches can be carried out for more specific data. If personal details of another individual are involved, such data may require redactions.
The ICO has recently published new detailed guidance on responding to DSARs under the GDPR, following its consultation which ended in February this year. The ICO admitted the aim of the guidance is to provide some much needed clarification on “some aspects of the law that aren’t so clear cut”.
As noted above, once a request has been made, an employer will have one month in which to provide the data. Whilst there is no obligation to seek clarification on the DSAR, one issue that many employers may have experienced is the impact on the time limit of needing to seek clarification on a request. Before the recent updated guidance, there was no provision to extend that timeframe where the controller asked the data subject to clarify their request. Now, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to supply more information. The deadline for a response by the employer is extended by the same amount of time as the requester takes to provide the clarification. This arguably strikes the balance between the rights of the individuals and providing some much-needed flexibility to employers dealing with an unclear or excessively broad DSAR.
Often there will be thousands of items of data processed relating to an individual employee. An employer may be able to argue that a request is manifestly unfounded or excessive. To combat previous confusion over when to class a request as manifestly excessive, the ICO has clarified that controllers should base their assessment of a DSAR on the proportionality of the request when considering the burden or costs involved against the rights of the requester. The ICO has focused on the word “manifestly” and advised that organisations must have strong justifications for concluding that a request is excessive. This presents a high bar in practice and each case should be decided on its own facts.
Under the GDPR, the information requested as part of a DSAR must, in most cases, be provided free of charge. However, a “reasonable” fee can be charged for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive, or an individual requests further copies of their data following a request.
Responding to a DSAR can be time-consuming and expensive. However, a failure to respond to DSARs can leave organisations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater. The new guidance demonstrates a flexible and comprehensive approach to DSARs and should be well received by employers.
When responding to DSARs, the following are some useful initial considerations:
This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact Rachael Lloyd to discuss any issues you are facing relating to this article.