A huge amount of personal data is collected by employers about employees during the course of their employment, which means that dealing with a Data Subject Access Request (DSAR) made by an employee can be a time-consuming task. However, following our tips below, the process can be made far less painful.
- Give yourself time…
Under the General Data Protection Regulation (GDPR) the time limit for responding to DSARs has been reduced from 40 days to one month. However, it is possible to extend this deadline by a further two months where the request is particularly complex, giving a total time of 3 months to comply.
Given that a large volume of data will be held on employees, which will need to be retrieved from a number of IT systems, an extension will very often be appropriate. It is important to note the time limit can only be extended during that first month so if you miss the deadline, not only will you be in breach of the GDPR but you will be unable to extend for extra time. You should therefore consider if an extension is appropriate as soon as the request is received.
- …but don’t delay
Whilst 3 months may appear at first to be a significant window of time, it is easy to underestimate how long the process will take. Depending on the employee’s length of service and how wide the employee’s request is, many thousands of documents may need to be reviewed and redacted before being disclosed to the employee.
It is therefore essential that employers begin the process of dealing with a DSAR as soon as possible, ideally from the first day it is received. Having a clear procedure will help avoid unnecessary delays, which should ideally include an agreed protocol with your IT team so searches of electronic systems can be set up efficiently and with clear parameters.
- Ask the employee what they want…
Many employees will raise a DSAR because they are looking for information relating to a specific issue, for example because they believe comments have been made about them by members of staff during the course of dealing with a grievance they raised.
This information may be specified in the original request, but if it is not, it is a good idea to ask the
employee if the information they are seeking relates to a particular individual, specific time frame or type of file such as emails. Having this information can significantly narrow the searches you need to carry out and therefore reduce the amount of documents you will need to review.
- …but be prepared to search all systems
Although often employees will be willing to specify what they want from their request, there is no requirement for employees to specify what information they are looking for. Your processes should therefore be set up to enable you to gather and provide all personal data processed about the employee.
In such cases, employers are expected to make genuine and extensive efforts to gather together the relevant personal data. This will include searching beyond the employee’s HR file through all electronic systems such as emails and any databases where employee data is held, along with archived items where they are easily accessible given the resources and expertise of the employer. The general principle is that the search must be reasonable and proportionate, though the courts have generally placed a high bar as to what is considered proportionate.
- Disclose data not documents…
Once you have identified the data, you will need to consider in what form this should be disclosed to the employee. In doing so, it is useful to remember that data subjects are only entitled to the personal data itself and not the documents it is contained within. This means that if the personal data appears within only one paragraph of a much larger report, you could provide this paragraph alone as an extract of the report.
Equally, where the same type of personal data appears in the same way in a large number of documents, such as a monthly HR report listing names and NI numbers, it is also acceptable to provide a schedule confirming the personal data included in these documents and the titles of the documents in which this appears.
- … and only what the employee is entitled to
Data subjects are not entitled to personal data about third parties or non-personal data so this data should be redacted from the documents which are disclosed.
There are also some circumstances where the employee will not be entitled to the data even if it is personal data relating to them. This will include:
- Personal data which is covered by legal professional privilege;
- References given or received about the employee;
- Personal data which is being processed for the purposes of management forecasting or planning where revealing that data could prejudice the business (e.g details of a staff redundancy programme which has not yet been announced); and,
- Records of intentions in relation to negotiations with the employee, where revealing these records would prejudice the negotiations (e.g internal discussions about a termination payment offer).
Determining what data is and isn’t disclosable can sometimes be complex and we suggest you obtain legal advice if you are unsure whether an employee is entitled to a specific piece of information.