Data subject access requests (DSARs) are increasingly being used by employees as a pre-litigation fishing expedition in the context of disciplinary or grievance procedures.
In Devonshires’ recent article, we commented on the Data Reform Bill which may provide welcome relief to data controllers facing vexatious or excessive requests. Whilst we await further guidance on the impact of the Bill, below we have set out some key points an employer should consider following receipt of a DSAR.
Limiting the scope
Data subjects are often looking for something specific, so employers may not be required to disclose every piece of personal data they hold in relation to an individual. It is therefore worthwhile engaging with the data subject to find out exactly what they are looking for, and attempt to agree limited search parameters. This will reduce the time and resources an employer spends on providing the data.
Data subjects have a right to receive their personal data within one month of their request. Whilst this may seem like a reasonable length of time, employers often hold vast amounts of data in relation to employees. Extracting, reviewing and categorising such data can often be a long process, particularly where the employee has worked for an organisation for a number of years. With that in mind, we encourage employers to act promptly following receipt of a DSAR and begin the process of extracting data as soon as possible.
Where a request is particularly complex, it is possible for an employer to extend the deadline for providing the personal data by a further two months. Even where an employer is able to extend the deadline, a complex request will take longer to deal with so employers should not delay getting the process underway.
Personal data only
There is an important distinction to be made between documents and data, and employees often mistakenly believe they are entitled to receive whole documents. Rather, an employee is entitled to the personal data contained within documents and employers can extract data or redact documents where necessary. Where a document does not contain any personal data, then an employer is not required to provide it. This would include business emails which solely relate to the day-to-day business of the employer.
Where data also identifies third parties, the third party data should only be disclosed where they have given their consent or it is considered reasonable to disclose this without their consent. This will depend on the circumstances and requires employers to balance the rights of the data subject against the rights of the third party.
Certain information is exempt from DSARs, including information covered by legal privilege, employee references given in confidence, details of future business plans that would be prejudiced if disclosed and any negotiations with the employee where revealing them would prejudice the negotiations.
Data retention policy
It is good practice for employers to avoid holding data for longer than is necessary. Employers are advised to have a data retention policy in place and ensure they comply, rather than holding data for longer than required. This will also limit the amount of personal data an organisation holds, which in turn will make any DSAR easier to deal with.
For more information on dealing with data subject access requests, please contact a member of the Employment Team.