Data Subject Access Requests and handling employee requests
An unexpected consequence of the COVID-19 pandemic may be an increase in people exercising their right of access (commonly known as a DSAR / SAR). In particular, disgruntled ex-employees.
I was interested to see a survey by Guardum of a hundred DPOs which found 30% believe there will be an ‘massive increase’ in SARs over the next six months. Nearly three quarters of DPOs surveyed think these will be submitted by employees who were furloughed or laid off during the pandemic.
This caught my attention as I’ve been asked to help with four ex-employee SARs in the past week from different organisations and sectors. All made by people recently made redundant.
Ex-employee access requests can be challenging to handle for a number of reasons, not least the volume of information you hold and your duty to respect the privacy of other staff members whose personal data may be in the mix of what you retrieve.
Michael Bond, Global Data Protection Officer for News UK and a DPN advisory board member, is a strong believer in having a robust process:
“Where do you start with SARs? Having a well-documented SAR process is the single best tool in your arsenal; it’s empowering, as much as it is a practical necessity. A well thought through process gives you a reference point so you don’t get lost in the maze of decisions that need to be taken, it gives HR professionals the tools they need to manage day to day requests, and finally, it can give you peace of mind that the decisions you take are defensible.”
Here are some key points, I would recommend considering for employee SARs;
1) Motive – the golden rule is whatever you think the person’s motive might be (even if you suspect they are on a fishing expedition to support a grievance procedure) you still have to fulfil the request.
2) Scope – you are allowed to ask the person to specify the information and / or areas of the business their request relates to. But, remember you can’t force the person to narrow the scope. If they want ‘all the personal data’ you hold on them, you have to provide this.
3) Right to a ‘copy’ – people have a right to a copy of their personal data. This doesn’t mean a right to documentation. You don’t have to provide all documents which include their personal data. You may choose to extract relevant information from these documents.
4) Opinions – personal data includes any opinions about individuals which have been documented (digital, paper records, recordings and so on).
5) Emails – the content of emails are within scope. If you don’t have an automated system for handling this, a search for an employee’s details can bring back thousands of results. It can help to develop effective search criteria. For example, business-as-usual emails an employee has sent as part of their day-to-day job, may only contain their name and email address.
6) Protecting others – you have a duty to protect the privacy rights of other individuals who might be directly or indirectly identifiable. If the information you have gathered relates to other members of staff, clients or others you need to consider whether;
- to seek their consent to share their information with the requester
- it would be reasonable to disclose anyway, without consent
- to redact (and whether redaction would definitely mean others couldn’t be identified)
- you have a duty of confidentiality; was the information disclosed to you with the expectation it would remain confidential?
7) Exemptions – alongside confidentiality, there are other exemptions which might be relevant and mean you can refuse to provide all or some of the information requested, such as;
- Legal professional privilege – this is limited in how it may apply
- Management information – management forecasting or planning might be exempt if complying with a SAR is likely to prejudice the conduct of your business or its activities. For example, a planned reshuffle in which certain employees are to be made redundant.
If you can justifiably exclude certain information from your response, remember to give you reasons why.
8) Keep evidence – make sure you document the approach you take, the decisions you make and your justifications for these.
To pass on some further tips for you, I got in touch with another of our advisory board members, Sara Howers. She’s the UK DPO at CGI I.T. UK Ltd. and has some helpful advice gained over the years at a number of international organisations:
- Allow enough time – give yourself enough time to handle subject access requests properly in addition to the ‘day job’. Assume you may need some extra time for sorting out IT issues (especially if everyone is working from home).
- Be sensitive – most people will be asking for a SAR in less than ideal circumstances, so be sensitive to that, and make sure the language you use is ‘non privacy’ speak. It can lessen the follow up enquiries you’ll receive too.
- Send data securely – make sure you have a good reliable method of sending your response securely – encryption is best, and again, have you tested this whilst remote working? (Plus send it securely even if they are still on the company network).
- Manage expectations – discuss timelines early on. Some things are currently taking a little longer whilst so many teams are still at home.
- Access – there will be documents they’ll have access to if they are still employed, make sure they know this and how they can access them, as it will reduce your workload.
- Other requests – if the SAR coincides with other data requests, for example, around lay-off or settlement conversations, do make sure to check in with your HR and Legal departments so the lines don’t get blurred between who is supplying them with what data and be clear what falls OUTSIDE of the SAR request. It’s worth sending the data subject a note of what is outside of scope, just to be clear up front.
No doubt, DPOs and data protection teams will be hoping this forecast of a spike in Subject Access Requests doesn’t come to fruition. It would put an added burden on teams who are pretty over-stretched already.
On a separate but related note, find out how another of our board members, Chris Field, Corporate Privacy Director at Harte Hanks handled receiving 9,000 SARs in one hit! You’ve been SAR-bombed.
For detailed guidance take a look at the ICO’s draft Right of Access Code of Practice. Although still in draft and subject to tweaks, this has a lot of helpful detail.
Philippa Donn, July 2020
Get in touch if you need some practical advice on handling Subject Access requests or other individual rights requests. Email: email@example.com and Julia, Simon or I will arrange a convenient time for a call.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.