13 September 2018

Subject Access Requests – what do employers need to know?

Following the implementation of General Data Protection Regulation (GDPR) on 25 May this year, there has seen a surge in the use of Subject Access Requests (SARs) by employees. Jim Wright has explored the reasons for this, the impact on employers and what to do if you receive one.

SAR’s can be raised by employees in a number of different circumstances. Some employees can be genuinely concerned to discover what data is being held and processed, and to check it is accurate. However, in some circumstances employees are using SARs to put pressure, administrative burdens and expense on employers. If an employment dispute already exists, the submission of an SAR may just be the opening of another battlefront.

Unfortunately, unless a SAR raised by an employee is “manifestly unfounded or excessive”, GDPR gives no weight to an employee’s motivation in making the request. As much as businesses should be hoping for genuine requests from concerned employees without a broader agenda, they should prepare for the worst. And by the worst, we simply note that we’ve seen an increase in the number of SARs submitted electronically after the pubs have closed…

The first question which needs to be addressed is can the organisation spot a SAR when its raised and get it to whoever needs to respond in a timely fashion? Guidance suggests that a SAR could, in principle, be raised via an employer’s Facebook or Twitter account. 

Assuming the SAR does not languish in someone’s in-tray and is passed in a timely fashion to whoever is to deal with it, an employer needs to rapidly consider whether it knows the identity of the person raising the SAR and what information is being requested. Employers often hold large amounts of data on employees (e.g. emails), and if the employee has been vague or deliberately wide in the SAR it may be prudent to ask for clarification as to the information sought.

Any SAR must be dealt with effectively, within one month of receipt. This can be extended by two months if the SAR is complex. Such complexity arises if it involves information from many different email accounts or requires significant amount of redaction of others’ personal data.

An employee issuing a SAR does not have rights above other employees and redaction will need to occur if an employer must provide emails that contain personal data relating to others. Therefore, it’s possible that large sections of emails may be blacked out. In this situation, businesses may need to consider whether they have the IT skills to rapidly redact multiple pages of emails referencing the individual who has raised the SAR.

Employers need to be able to demonstrate they have looked systems such as email back-up systems and data saved on individual managers’ PCs. As a result, it is likely that managers may need to be asked to check and confirm they have not saved such information outside of their email account.

Employees and their representatives are often misinformed as to the limits that exist on the personal data to which an employee can seek access via a SAR and there is a principle of proportionality. Therefore, employers must take reasonable and proportionate steps, but need not necessarily ensure they ‘leave no stone unturned.’ For example, employers do not usually need to engage specialist IT consultants to recover deleted emails.

Businesses may also wish to closely consider retention periods for employee data. Keeping all data and emails relating to an employee during their 20-year career is likely to make an employer wish it had brought in a retention policy to delete data after six years, if a detailed SAR is raised. Copies of the information can then be provided by electronic copies or hardcopy.

Complaints about how an employer responds to SARs are sent to the Information Commissioner, although we note that employees often attempt to complain about it to Employment Tribunals as well. After investigation, the Information Commissioner will consider whether the employer has breached the requirements in terms of responding to the SAR. In extreme cases the Information Commissioner can serve enforcement notices and impose financial penalties. Despite what employees often think, the Information Commissioner cannot award them compensation, although they could bring a Court case seeking compensation for harm and distress arising out of any such failure. 

For more information, please contact Jim Wright.

Jim’s advice on SARs was included in HR Magazine