Data Subject Access Request: Advice for Employers

Show Notes

Since the introduction of the EU General Data Protection Regulation (GDPR)  in 2018, employees have had the right to request access to their personal data from their employer using a Data Subject Access Request (DSAR).

In this podcast Ciara Duggan and Oscar Poku members of the Data Protection team at Clarkslegal discuss DSARs in an employment law context, as they often appear where there is on ongoing dispute between an employee and their employer. They will explain what exactly a DSAR is, how one is made, and how companies should respond if they receive one.

 If you have any questions at all about any aspect of the DSAR process, or need some advice on how to respond to a DSAR, please contact our Data Protection lawyers for advice.

Transcript

Ciara Duggan 00:02

Hello, and welcome to Clarkslegal’s latest Data Protection podcast. My name is Ciara and I am joined today by my colleague Oscar, to discuss a data protection topic that appears to have generated a great deal of interest in recent weeks – the data subject access request. 

Oscar Poku 00:16

On today’s podcast, we will be talking about DSARs in an employment law context, as they often appear where there is on ongoing dispute between a worker and their employer. We will take you through what exactly a DSAR is, how one is made, and how companies should respond if they receive one. 

Ciara Duggan 00:034

To kick off, let’s discuss what DSARs are and how they work. Individuals have the right to access and receive a copy of their personal data. In order to exercise this right of access, individuals, who are the “data subjects”, can make a data subject access request, or DSAR. An individual has the right to know whether their employer is processing personal data belonging to them, and if so, they are entitled to a copy of that data. 

Oscar Poku 01:00

We are going to hear the term “personal data” a lot on this podcast, and it is important that both the individual and the employer understand what types of data are covered by the personal data definition. Ciara, can you just give us a brief explanation of what personal data covers? 

Ciara Duggan 01:17

So, personal data has two aspects to be aware of. 

Firstly, personal data is “any information relating to an identified, or identifiable, living individual” (as per UK GDPR and DPA 2018). What this means is that information that can directly identify someone (such as their name, email address, mobile number, etc) and information that indirectly identifies someone (such as a physical, mental, economic or social characteristics – the young ginger lady who works for Clarkslegal) are caught by the definition. This means that personal data that has been anonymised (by stripping personal data of sufficient elements that the individual can no longer be identified) is not subject to the UK GDPR.

Secondly, to be personal data, it must “relate to the individual” (as per the ICO guidelines). Data that identifies a person (even if not directly as just discussed) may be personal data if you are processing it to learn or record something about that person, or its processing will impact the individual. Key questions to ask here include: 

• whether the content of the data is about an individual, 
• whether the purpose you are processing the information for will make information personal data (ie, will it be used to learn about / evaluate / treat / decide about / influence the status or behaviour of the individual)
• will the data impact or have the potential to impact the individual. 

Personal data can also catch data that is inaccurate as it still relates to that individual – for example, in a situation where the data subject is confused with someone else, because the information will relate to them (e.g. be used to make a decision about them) it will be caught. 

Oscar Poku 03:03

Now that we have a bit more of an understanding about personal data is, lets talk through how an individual, or data subject, would go about accessing their data. This is where the DSAR comes in. 

 There is no prescribed or formal method for making a DSAR, though it is good practice for employers to have a preferred method set out in their data protection policies. DSARs can be made verbally or in writing, and submitted by email, letter, social media etc. In order to ensure that there is no delay in dealing with a DSAR, it is best to make a DSAR in writing. 

There is no requirement to address a DSAR to anyone in particular. For employers, this means that when a DSAR is received, it is very important to pass it on to the person who deals with data protection matters as quickly as possible, for reasons we will talk about in a moment. 

Ciara Duggan 03:54

It is possible to ask for “all the data the organisation processes” about you, but this may result in a lot of unnecessary information being disclosed to you. It can also run the risk of the employer either refusing to deal with your DSAR, or charge you a fee for admin costs, on the grounds that your request is “manifestly unfounded or vexatious”. 

Oscar Poku 04:16

It is important to highlight here that this is not an easy test to satisfy – ICO guidance states that these grounds can be relied on where the individual has no intention of actually exercising their right of access, or it is malicious and intended to cause disruption. 

Ciara Duggan 04:36

If as an employee you are making a DSAR for a particular reason, it is best to refine your DSAR and provide a timeframe, or identify people who are likely to have processed the information you are seeking or key search terms to be used. It is also good practice to include ID with your request in order to avoid processing delays. 

Oscar Poku 04:56

Dealing with a DSAR can be a very time-consuming and expensive task, so it is important to have a clear process for dealing with them in place. On receiving a request, the first thing to check whether you process information about the person making the request, and if so, how wide the individual’s request is. If the individual’s request is not clear, the employer should contact them as soon as possible to clarify what data the individual is looking for. 

Ciara Duggan 05:23

Employers must deal with a DSAR “without undue delay”, and within one month of receiving the request (or clarifying the scope). So if you receive a request on 1 January, you must respond on 1 February. It is possible to extend this period by a further 2 months in situations where the request is complex or a number of requests are made at one. If an extension is required, the employer must inform the individual making the request as soon as possible, along with an explanation as to why an extension is required. Reasons could include: 

• how complicated it is for the employer to retrieve their information (such as pulling from electronic archives)
• there is a lot of sensitive information caught by the request 
• needing to obtain specialist legal advice. 

If a request involves a very large volume of information, this may add to the complexity, but will not be a sufficient reason on its own for an extension. 

Oscar Poku 06:20

Once the scope and timeline are understood, the employer should formally acknowledge the request and begin locating the data. This may involve a search of employee’s email inboxes, personnel files or messages on platforms such as Teams or Slack. Employers must use “reasonable efforts” to locate the information – not a “leave no stone unturned” approach, but genuine and extensive efforts. 

Ciara Duggan 06:52

Once the documents or emails etc that contain the individual’s personal data have been identified, the employer will need to review the documents to ensure that only documents that fall inside the scope of the DSAR are included. The employer will also need to review the data to check whether the personal data of other people is caught in the documents, and if so, whether this will need to be redacted – among other factors, this will include consideration of whether those individuals have consented to their data being disclosed as part of the DSAR. 

Oscar Poku 07:21

The employer will also need to review the documents caught by the DSAR to check for commercial or financial information. If this type of information is caught, then the employer will need to determine whether to redact, or withhold entirely. It is also for the employer to remove any duplicate documents from those caught by the DSAR. 

This is a time-consuming process, depending on the volume of documents and level of redaction, and so employers should ensure they have sufficient time left to complete this. 

Ciara Duggan 07:55

So once the employer has identified the documents to be disclosed, and removed or redacted information as necessary, they will need to provide copies of the personal data to the individual making the request. unless the individual has expressly requested hard copies of the data, this will usually be by “commonly used electronic means”, such as pdfs or via a SharePoint site. The copies of documents should also be accompanied by a formal response letter. 

Oscar Poku 08:22

This letter should include information about: 

• information regarding the individual’s rights 
•  the purpose for which their data was processed
• categories of personal data caught 
• information on how long it will be retained for 

among other information. It is also important to inform the individual what information has been omitted from the DSAR, and of their rights to lodge a complaint with the Information Commissioner. 

Ciara Duggan 08:52

And there you have it, our whistlestop tour of what a DSAR is, how to make one, and how to respond. If you have any questions at all about any aspect of the DSAR process, or need some advice on how to respond to a DSAR, our employment team is more than happy to assist you.