In this article, our Senior HR Consultant, Daniel Williams, discusses how employers can handle data Subject Access Requests.
Since the introduction of the EU General Data Protection Regulation (GDPR) in 2018, businesses are increasingly tasked with obeying Data Subject Access Requests (DSAR/SAR). An individual can make these written requests to an organisation, who holds their personal information, such as an employee and their employer. GDPR accelerated the deadline for organisations to respond to these types of requests from 40 days to one month.
A DSAR is any request by an individual for his or her personal data only. It does not need to mention the GDPR or the Data Protection Act. This request relates to their personal data, but includes the purpose of processing the data, the source of the data and who the data has or will be shared with. As soon as a request is identified, ensure that any routine data deletion or destruction processes are suspended with respect to the personal data of that individual. In addition, it is now a criminal offence to delete, destroy, alter or conceal personal data to frustrate a SAR (Section 173 DPA 2018).
Before communicating with the individual, satisfy yourself with respect to their identity. The measures you take depend on what is reasonable in the circumstances. It may be deemed reasonable to contact those responsible of the personnel files to see if the identification there is sufficient. However, a representative, such as a solicitor, can make a request on behalf of the individual. Therefore, it is best to seek reassurance from the individual that they have authorised this request on behalf of them. Should further ID be required, ask for photographic ID or a company issued ID.
From receiving the request, you have one month to respond. Unless, the request is excessive and deemed unreasonable you can get an extension for this, however, the individual must be informed of this as soon as possible. One received the request a receipt or acknowledge can be sent to the employee, this is for best practice measures, opening up a line of communication with the individual provides immediate reassurance that an organisation is taking its responsibilities seriously.
Sometimes, a DSAR is not clear or is extensive (due to length of service or amount of data), the organisation should inform the individual of this and seek clarification of their request. Although the individual is under no obligation to explain why they want the personal data or what they intend to do with it.
Organisations are expected to be able to conduct reasonable and proportionate searches of its hard copy and/or electronic filing systems, in order to identify the personal data belonging to the individual. This may include client / employee files, Outlook accounts and data held by data processors. All forms of information may fall to be disclosed, including audio recordings or CCTV footage. The organisation must be aware of expiration dates on the likes of CCTV and its data retention policy.
There are several reasons why personal data should not be disclosed or redacted. You are not required, and should not, disclose an individual’s personal data if this would adversely affect the rights of other individuals. This issue frequently arises with respect to mixed data such as email communications and meeting notes, which are the personal data of the individual, as well as the others in the email chain or at the meeting. In determining whether to disclose this mixed data, consideration must be given to whether the third parties have consented to its disclosure or whether it is otherwise reasonable to disclose it. There are no easy rules of thumb to follow. Rather, careful consideration needs to be given to the specific content and context of this material. Further exceptions include confidential references, management information, legal advice and settlement negotiations.
If a DSAR is has been made electronically, the default is to respond electronically, unless stated otherwise. However, it is always best to check with the individual first. Especially where sensitive or special category data is being disclosed, ensure that this is disclosed in the most secure method possible.
For best practice you should keep an audit trail of the request, including the sources of information which was collated, the review undertaken, key decisions made concerning whether information amounted to personal data and whether exemptions applied, the response provided and disclosure made, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal review of the response or complains to the ICO. You may not receive another request or for a long time, but it is best to always be prepared and track your progress to protect and educate yourself.
As an employer, there are several activities you can take to safeguard and futureproof your organisation from DSARs:
Should you be affected by a Data Subject Access Request, please get in touch with us at High Performance for further information.
If you have any concerns or would like to discuss the topics within this article further, please get in contact with the HPC team today.
T: 0844 800 5932