What you need to know about data subject access requests: A guide for employers
In a world where personal data can be used and shared so easily, it is important for individuals to have control over their own data. Since the General Data Protection Regulation (GDPR) came into force in May 2018, more and more people are exercising their rights in relation to their personal data. The GDPR provides greater rights for individuals in the EU to access their own personal information which is held by others. Whilst data subject access requests (DSAR) existed under the old legislation, the GDPR places more stringent requirements on employers in terms of compliance. In the light of new guidance published by the Information Commissioners Office (ICO), this article aims to act as a refresher for employers on their obligations relating to the right of access by an individual as well a summary of the recent updates.
The Basics: What is a DSAR in an Employment Law context?
A DSAR may be made in writing, or by email or other electronic means. For employers, it is recommended that a preferred method of contact is made clear to employees to ensure the requests are received by appropriate members of staff. A DSAR relates to "personal data" which simply means any information relating to an individual, often referred to as a 'data subject'. Information that can be requested by the data subject includes:
- The employee's personal file;
- The employee's emails and phone records which relate specifically to them; and
- Any documents or correspondence relating to any work they have done.
What are Employee's rights in relation to DSARs?
If personal data is being processed, an employee is entitled to be given a copy of their personal data, together with other information, such as the:
- Purposes of the processing;
- Categories of personal data concerned;
- Recipients or categories of recipients to whom data has been or will be disclosed;
- Period during which personal data will be retained; and
- Information on the source of the data.
How should employers respond to DSARs?
Whilst an employee may be genuinely motivated by a wish to find out what data is being processed and to make sure that it is accurate, often DSARs can be useful for employees in obtaining information when going through grievances, or in advance of mounting an Employment Tribunal claim. Regardless, the employer's approach must be the same: the employer must facilitate the exercise of the subject access right, the request must be handled fairly and transparently, and the information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The basic rule is that requests must be handled without undue delay and, in any case, within one month. ICO guidance states that this period begins on the day on which the employer receives the request, and ends on the corresponding calendar date in the next month, unless that day is a bank holiday or weekend, in which case it ends on the next working day. If there is no corresponding date (i.e. the next month is shorter) then the deadline is the last day of the following month. However, an employer may extend that period by two months where necessary, taking into account the complexity and number of requests. Notwithstanding this, it is clear from the guidance that this extension should be used in exceptional circumstances only. Even where utilising this time extension, an employer must still respond within the first month to acknowledge receipt of the DSAR.
The employer's response should usually be in a writing, or by an appropriate means requested by the individual. In terms of locating relevant information, emails are usually a good place to start. From there, further searches can be carried out for more specific data. If personal details of another individual are involved, such data may require redactions.
New guidance from the ICO
The ICO has recently published new detailed guidance on responding to DSARs under the GDPR, following its consultation which ended in February this year. The ICO admitted the aim of the guidance is to provide some much needed clarification on “some aspects of the law that aren’t so clear cut”.
Stopping the clock for clarification
As noted above, once a request has been made, an employer will have one month in which to provide the data. Whilst there is no obligation to seek clarification on the DSAR, one issue that many employers may have experienced is the impact on the time limit of needing to seek clarification on a request. Before the recent updated guidance, there was no provision to extend that timeframe where the controller asked the data subject to clarify their request. Now, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to supply more information. The deadline for a response by the employer is extended by the same amount of time as the requester takes to provide the clarification. This arguably strikes the balance between the rights of the individuals and providing some much-needed flexibility to employers dealing with an unclear or excessively broad DSAR.
Often there will be thousands of items of data processed relating to an individual employee. An employer may be able to argue that a request is manifestly unfounded or excessive. To combat previous confusion over when to class a request as manifestly excessive, the ICO has clarified that controllers should base their assessment of a DSAR on the proportionality of the request when considering the burden or costs involved against the rights of the requester. The ICO has focused on the word "manifestly" and advised that organisations must have strong justifications for concluding that a request is excessive. This presents a high bar in practice and each case should be decided on its own facts.
Under the GDPR, the information requested as part of a DSAR must, in most cases, be provided free of charge. However, a "reasonable" fee can be charged for the administrative costs of complying with a DSAR if it is manifestly unfounded or excessive, or an individual requests further copies of their data following a request.
What this means for employers
Responding to a DSAR can be time-consuming and expensive. However, a failure to respond to DSARs can leave organisations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater. The new guidance demonstrates a flexible and comprehensive approach to DSARs and should be well received by employers.
When responding to DSARs, the following are some useful initial considerations:
- Verify who is making the DSAR and check if they are requesting their own personal data. Alternatively, is it a third party requesting data someone else’s behalf, and do they have the specific authority to do so?
- Consider how broad the request is from the outset. An employee does not have to make a specific DSAR and can simply request all personal data held about them. Depending on the circumstances, this can be a timely exercise. Where particularly large amounts of data are held, you may ask to narrow down the request, though the individual is under no obligation to agree to this;
- Once the scale of the DSAR has been ascertained, are you able to the respond within the permitted timescale?
- Weigh up who is the best person in your business to action the DSAR: it may be that multiple people may be required.
This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact Rachael Lloyd to discuss any issues you are facing relating to this article.